[00:01.260 --> 00:03.500]  Hello everyone, and welcome to my DEF CON talk
[00:03.500 --> 00:07.100]  all about locks and keying systems and how to hack them.
[00:07.200 --> 00:09.080]  There's going to be a lot of math and problem solving
[00:09.080 --> 00:10.600]  involved in what we're talking about today.
[00:10.600 --> 00:12.320]  So for those of you who like that sort of thing,
[00:12.320 --> 00:14.240]  I think you're going to really like this talk.
[00:14.240 --> 00:16.560]  For those of you who don't like that as much,
[00:16.560 --> 00:18.720]  I'll be releasing a number of software applications
[00:18.720 --> 00:21.220]  that will do all the hard work for you.
[00:21.620 --> 00:23.480]  This is all about decoding locks,
[00:23.480 --> 00:25.260]  despite the very verbose title.
[00:25.260 --> 00:26.860]  So taking all the information available
[00:26.860 --> 00:28.600]  and creating a key for a lock
[00:28.600 --> 00:30.160]  where we didn't otherwise have one.
[00:30.640 --> 00:32.340]  It's a fairly long talk.
[00:32.860 --> 00:34.460]  So if you're watching this on YouTube after,
[00:34.460 --> 00:37.100]  I'll put a comment below with links to times in the video
[00:37.100 --> 00:39.060]  so you can skip to the parts of the talk
[00:39.060 --> 00:40.720]  that happened to interest you.
[00:41.360 --> 00:43.820]  I will just mention that this feels incredibly weird.
[00:43.820 --> 00:45.880]  The energy is so low compared to giving a main
[00:45.880 --> 00:48.220]  or a talk on the main stage at DEF CON.
[00:48.220 --> 00:50.780]  So I will do my absolute best to stay engaged
[00:50.780 --> 00:53.100]  and keep you awake and to stay awake myself.
[00:53.340 --> 00:56.340]  But the good news here is that this talk involves
[00:56.600 --> 00:57.880]  a lot of software demos
[00:57.880 --> 01:00.040]  and me going through the software I'll be releasing.
[01:00.040 --> 01:02.560]  That would have been absolutely terrifying
[01:02.560 --> 01:05.040]  to do on a main stage at DEF CON.
[01:05.220 --> 01:07.520]  So what you get out of that is the speaker
[01:07.520 --> 01:09.060]  who is going to be a lot less stressed out
[01:09.060 --> 01:11.460]  and making a lot fewer mistakes.
[01:12.580 --> 01:15.720]  So take a look at your key ring and see the keys on there
[01:15.720 --> 01:18.180]  and see how much you understand about what they are
[01:18.180 --> 01:19.820]  beyond just shapes of metal
[01:19.820 --> 01:22.060]  and how they interact with the lock.
[01:22.060 --> 01:23.740]  And that's what we're going to be talking about
[01:23.740 --> 01:25.320]  all through today.
[01:25.460 --> 01:26.700]  The way we're going to attack that
[01:26.700 --> 01:28.860]  is looking at how locks and keys work
[01:28.860 --> 01:30.840]  and the introduction of the tools I'm releasing
[01:30.840 --> 01:32.240]  to analyze them.
[01:32.240 --> 01:34.420]  We'll look at the economics and practicality
[01:34.420 --> 01:36.080]  of brute forcing all possible keys
[01:36.440 --> 01:39.680]  and reading the pins in a lock to get information from that.
[01:39.680 --> 01:41.340]  We'll improve on impressioning
[01:41.340 --> 01:43.660]  by applying the extra information that we have.
[01:43.660 --> 01:45.260]  And we'll look at key-like systems
[01:45.260 --> 01:47.580]  and lock disassembly to get information.
[01:47.840 --> 01:50.260]  We'll then formally introduce information theory
[01:50.260 --> 01:53.060]  and see how it applies to mechanical locks and keys.
[01:53.060 --> 01:55.040]  We'll introduce master keying systems
[01:55.040 --> 01:58.120]  and derive master keys from multiple low-level keys
[01:58.120 --> 02:00.620]  and perform other rate-samplification attacks
[02:00.620 --> 02:04.020]  to create a master key where we didn't have one before.
[02:04.040 --> 02:05.440]  We'll look at a couple of special cases
[02:05.440 --> 02:07.640]  like construction keying, IC cores,
[02:07.640 --> 02:09.220]  and high-security secondary systems
[02:09.220 --> 02:11.000]  like Medeco and Multilock.
[02:11.000 --> 02:13.280]  And finally, we'll talk about what the blue team can do
[02:13.280 --> 02:15.620]  to remediate from these attacks.
[02:15.820 --> 02:17.480]  All of the software that I'm releasing
[02:17.480 --> 02:20.640]  as a part of this talk can be found at these links here,
[02:20.640 --> 02:23.400]  both a version that you can try right in your web browser
[02:23.400 --> 02:25.580]  as well as the source down below.
[02:25.580 --> 02:27.300]  So before we jump into the new content,
[02:27.300 --> 02:29.500]  we'll give a very brief overview of how locks work
[02:29.500 --> 02:31.300]  for those who might not be familiar.
[02:31.560 --> 02:34.140]  So we have a key and it enters the lock
[02:34.140 --> 02:37.060]  and interfaces with a number of pins.
[02:37.060 --> 02:39.320]  We have key pins close to the key
[02:39.320 --> 02:41.160]  and driver pins higher up.
[02:41.160 --> 02:44.660]  And if they all line up with the top of this plug,
[02:44.660 --> 02:46.520]  it will allow the plug to turn.
[02:46.780 --> 02:47.880]  What do I mean by that?
[02:47.880 --> 02:49.280]  Well, let's take a look at a 3D model
[02:49.280 --> 02:50.840]  for what this is representing.
[02:50.840 --> 02:52.720]  So here's a familiar lock
[02:53.320 --> 02:58.100]  and this inner insert called the plug,
[02:58.100 --> 03:01.560]  when all those pins line up, it allows it to turn.
[03:01.560 --> 03:06.280]  So if we look at the cross section of it here,
[03:06.280 --> 03:08.360]  when those pins line up as I showed
[03:08.360 --> 03:10.260]  in the two-dimensional diagram,
[03:10.260 --> 03:13.600]  that's what then allows that to happen.
[03:13.600 --> 03:16.200]  And if any of those pins are not at the right height,
[03:16.200 --> 03:19.200]  so we have a driver pin into the plug
[03:19.200 --> 03:22.240]  or a key pin up into the housing,
[03:22.240 --> 03:23.820]  then that will not allow it to turn
[03:23.820 --> 03:26.320]  and the lock remains locked.
[03:26.480 --> 03:30.040]  Within the plug, we have holes for the key pins to go into
[03:30.520 --> 03:32.600]  and those holes don't go all the way down.
[03:32.600 --> 03:34.280]  So that's what stops the pins
[03:34.280 --> 03:36.200]  from falling right out of the lock.
[03:37.360 --> 03:40.240]  And so in this cross section we see here,
[03:40.240 --> 03:41.380]  this is where the key enters
[03:41.380 --> 03:43.140]  and then this is where the pins are.
[03:43.140 --> 03:44.460]  And that's what we're representing
[03:44.460 --> 03:50.320]  in our two-dimensional facsimile that we have here.
[03:50.320 --> 03:51.780]  So the key goes in,
[03:51.780 --> 03:54.940]  it raises the pins to the right height, the lock opens.
[03:55.280 --> 03:58.060]  If some of these pins are,
[03:58.060 --> 04:01.260]  or these key cuts are too high or too low,
[04:01.260 --> 04:04.840]  then it will not open because we have a driver pin
[04:04.840 --> 04:06.560]  or a key pin in the way.
[04:06.560 --> 04:09.680]  And we can see these shear lines are now binding,
[04:09.680 --> 04:11.380]  the lock does not open.
[04:11.920 --> 04:15.460]  It's worth noting that the positions in the key
[04:15.460 --> 04:17.460]  are all discrete.
[04:17.460 --> 04:21.480]  So we can have a set number of intervals
[04:21.480 --> 04:24.200]  for depths that these positions can take on.
[04:24.260 --> 04:28.320]  And that is defined by what type of lock it is,
[04:28.320 --> 04:30.660]  as well as the position of the pins, of course,
[04:30.660 --> 04:32.920]  is defined by what type of lock it is.
[04:32.920 --> 04:34.760]  So you can play around with this software yourself
[04:34.760 --> 04:37.520]  to understand what that top profile of a key
[04:37.520 --> 04:43.360]  actually means in terms of what key code it creates.
[04:45.300 --> 04:49.640]  So this is an example of what a plug cut in half
[04:49.640 --> 04:50.800]  actually looks like.
[04:50.800 --> 04:52.240]  So we can see where the pins go
[04:52.240 --> 04:54.400]  and where the key goes in here.
[04:54.980 --> 04:58.500]  A key itself is just mechanically encoded information.
[04:58.780 --> 05:01.960]  So I showed how we can change the code to different heights.
[05:02.180 --> 05:04.520]  Key codes are a number that represents that.
[05:04.520 --> 05:05.940]  So this is a Schlage key.
[05:05.940 --> 05:08.200]  We read it from shoulder to tip.
[05:08.260 --> 05:12.560]  So in pin one, we have from zero down to nine.
[05:12.560 --> 05:16.120]  We have eight cut and we can get seven, et cetera.
[05:16.120 --> 05:18.280]  So here's a two, we have zero, one, two.
[05:18.280 --> 05:20.600]  And from that, we can get the full bidding code
[05:20.600 --> 05:23.020]  of eight, seven, five, two, seven.
[05:23.120 --> 05:24.400]  And that makes sense.
[05:24.400 --> 05:28.100]  When we look at the profile of this key,
[05:28.100 --> 05:30.280]  deep, shallower, shallower, very shallow,
[05:30.280 --> 05:32.020]  and back to deep again.
[05:32.260 --> 05:34.060]  The thickness of the key from the base
[05:34.060 --> 05:37.060]  to the points of this cut here
[05:37.060 --> 05:40.280]  is given by this chart for the Schlage system.
[05:40.280 --> 05:44.600]  So an eight cut is going to be 215 thousandths of an inch
[05:44.600 --> 05:46.220]  from these two positions.
[05:46.860 --> 05:48.640]  Here's another example we can see.
[05:48.640 --> 05:50.440]  So five, two, eight, six, four.
[05:50.460 --> 05:52.380]  We can see it makes about sense.
[05:52.380 --> 05:55.420]  There's a five in the middle, a two is high up,
[05:55.420 --> 05:58.500]  eight is low cut, and then it's increasing from there.
[05:58.860 --> 06:00.420]  One thing we need to be aware of
[06:00.420 --> 06:02.920]  is the maximum adjacent cut specification.
[06:03.060 --> 06:06.760]  We can't have a very shallow cut beside a very deep cut.
[06:06.820 --> 06:09.580]  Or in one case, it's going to be too steep
[06:09.580 --> 06:11.880]  and we can't put the key in or get it out.
[06:11.880 --> 06:12.980]  Or in another case,
[06:12.980 --> 06:17.040]  we're going to start impinging on the neighboring cuts.
[06:17.040 --> 06:20.000]  So if you look at how a key is actually originated.
[06:22.000 --> 06:25.040]  So we can see in this lower left corner here,
[06:25.040 --> 06:28.560]  this cutter wheel that's taking bites out of the key.
[06:28.620 --> 06:29.740]  And so we're moving it along
[06:29.740 --> 06:31.920]  to predefined positions along the key,
[06:31.920 --> 06:34.880]  and then cutting down to predefined depths into the key.
[06:34.880 --> 06:36.020]  In this case, we're cutting it
[06:36.020 --> 06:38.960]  to the bidding code one, two, three, four, five.
[06:38.960 --> 06:41.340]  So here we are on the fifth position,
[06:41.340 --> 06:43.920]  cutting it down to a five depth.
[06:44.400 --> 06:47.340]  We can see that the way that cutter wheel cuts
[06:47.340 --> 06:53.140]  into the pins actually creates a sloped angle.
[06:53.240 --> 06:55.560]  And so here's an example of one key
[06:55.560 --> 06:59.100]  where we have a code zero, four, zero, three, seven.
[06:59.100 --> 07:01.660]  So that's again from shoulder to tip.
[07:02.000 --> 07:05.120]  If we wanted to bring pin two down
[07:05.120 --> 07:07.880]  so that it matches not this shear line, but this upper one,
[07:07.880 --> 07:10.440]  we can start cutting the four down and it works,
[07:10.440 --> 07:12.640]  down to a five, down to a six is fine.
[07:12.640 --> 07:17.900]  But now these shallow slope sides around it
[07:17.900 --> 07:19.940]  are getting very close to the neighbors.
[07:19.940 --> 07:22.120]  And in fact, when we put it down to a seven,
[07:22.120 --> 07:25.340]  those neighbors are now lowered by that.
[07:25.340 --> 07:28.200]  So that's a bit of a problem for us.
[07:28.460 --> 07:33.720]  It means that we cannot have a zero cut next to a seven cut.
[07:33.720 --> 07:36.080]  Zero next to six is okay, but not seven.
[07:36.080 --> 07:40.620]  So that's our maximum adjacent cut specification is six.
[07:40.620 --> 07:43.020]  Likewise, we can't have a one next to a seven
[07:43.020 --> 07:45.820]  or next to an eight, but it can be next to a seven.
[07:45.820 --> 07:46.980]  So the difference there is six.
[07:46.980 --> 07:49.340]  That's okay because it's maximum.
[07:49.780 --> 07:53.900]  And that's a property of almost all pin tumbler locks.
[07:53.900 --> 07:58.000]  And that's gonna limit what our key space is as well.
[08:00.860 --> 08:03.800]  Here's a chart of the most common max that we see.
[08:03.800 --> 08:05.500]  So most of them are seven.
[08:05.500 --> 08:09.120]  They have, in the case of Schlage, Sargent, Yale and Weiser,
[08:09.120 --> 08:11.280]  they have 10 different depths that are allowable.
[08:11.280 --> 08:13.480]  So at seven, that's fairly permissive.
[08:13.520 --> 08:14.980]  Kwikset only has six.
[08:14.980 --> 08:18.480]  So that means that our max is a little bit less at four.
[08:19.940 --> 08:21.400]  Now that we understand max,
[08:21.400 --> 08:23.880]  we can start to look at the key spaces.
[08:23.880 --> 08:25.860]  So the total number of differs,
[08:25.860 --> 08:29.260]  or number of possible keys that exist on a system.
[08:29.300 --> 08:31.540]  And naively, it's the number of depths
[08:31.540 --> 08:33.700]  to the power of the number of spaces.
[08:33.700 --> 08:34.920]  So for a Schlage key,
[08:34.920 --> 08:38.000]  there are 10 depths to the power of five or six spaces,
[08:38.000 --> 08:41.560]  for five or six pins, is 100,000 or a million.
[08:41.560 --> 08:44.820]  And for Medeco, it's six depths to the power of five or six,
[08:44.820 --> 08:47.140]  so seven or 46,000.
[08:47.380 --> 08:50.480]  So we can calculate that fairly easily here.
[08:50.520 --> 08:53.160]  A Schlage system with five pins and 10 depths,
[08:53.160 --> 08:55.780]  we have 100,000 possibilities.
[08:56.100 --> 08:59.020]  And six pins is going to be a million.
[08:59.160 --> 09:02.760]  And if it's a Medeco lock with six pins, six steps,
[09:02.760 --> 09:06.500]  that's 46,000 and that's six to the power of six.
[09:06.780 --> 09:09.240]  We can also add in our max here.
[09:09.240 --> 09:12.260]  So let's say that this is a Kwikset key
[09:12.260 --> 09:15.300]  with five pins and six depths.
[09:15.300 --> 09:19.180]  We can now scroll down and add some rules to this system
[09:19.180 --> 09:21.240]  to limit what our key space would be.
[09:21.240 --> 09:23.200]  So we start with 7,000.
[09:23.200 --> 09:26.760]  We find under max and add a max of four,
[09:26.760 --> 09:29.140]  for it being a Kwikset system.
[09:29.140 --> 09:33.220]  And that now limits it to 6,306.
[09:33.220 --> 09:37.440]  And we can see that the number of possible differs
[09:37.440 --> 09:41.880]  is less with cuts very shallow and very deep.
[09:41.880 --> 09:45.940]  So this number here, 941, means that 941 total differs
[09:46.340 --> 09:48.800]  have a zero cut in pin one.
[09:48.940 --> 09:50.380]  That's smaller than the number
[09:50.380 --> 09:52.140]  that can have a one cut in pin one.
[09:52.140 --> 09:56.740]  Because a zero cut can go up to four, that's within max,
[09:56.740 --> 09:58.820]  but it can't go all the way to a five.
[09:58.820 --> 10:00.940]  That would be too much of a difference.
[10:00.940 --> 10:02.560]  That would be a max violation.
[10:02.780 --> 10:04.620]  This one here can go to anything
[10:04.620 --> 10:06.520]  because it's close enough to everything
[10:06.520 --> 10:08.740]  that it will not violate max.
[10:09.220 --> 10:13.640]  To take this to the extreme, we can reduce max down to one.
[10:13.720 --> 10:15.700]  And so we now see the impact that has.
[10:15.700 --> 10:18.400]  We're down to only 340 possible keys.
[10:18.860 --> 10:22.400]  And if by some decoding that we'll talk about going forward,
[10:22.400 --> 10:25.280]  we know that say the shear line in pin one is a three,
[10:25.280 --> 10:29.740]  we now see the pin two can only be a two, three, or four.
[10:29.740 --> 10:31.240]  Anything else is too far from it.
[10:31.240 --> 10:34.320]  It's a max violation and that extends outwards.
[10:34.320 --> 10:36.360]  So that is severely limiting now
[10:36.360 --> 10:39.240]  the number of possible keys that are in our key space.
[10:39.240 --> 10:41.100]  And we'll look at how to drive these rules
[10:41.100 --> 10:43.000]  throughout the rest of this talk.
[10:43.000 --> 10:46.460]  In this case, we're down to 74 possible keys in our space.
[10:46.460 --> 10:49.620]  And so it's enumerating all of those key codes here.
[10:49.620 --> 10:50.980]  So these are the bidding codes.
[10:50.980 --> 10:53.360]  We could cut a key to these and try them.
[10:53.360 --> 10:56.020]  And it might work in this lock.
[10:59.020 --> 11:01.780]  We can take a brief look at keys versus passwords
[11:02.330 --> 11:04.900]  in terms of the brute force ability of them.
[11:05.000 --> 11:08.400]  So the cost to try a password is very close to zero,
[11:08.400 --> 11:09.580]  not quite negligible.
[11:09.580 --> 11:11.340]  In the case of a key, it's quite expensive.
[11:11.340 --> 11:13.400]  We have to pay for the blank and cutting the key
[11:13.400 --> 11:16.480]  and our time to actually go and physically try it.
[11:16.480 --> 11:19.300]  That's all quite expensive and time consuming.
[11:19.880 --> 11:21.840]  Keys can be, or passwords can be
[11:21.840 --> 11:23.800]  an unlimited length and complexity.
[11:23.800 --> 11:27.140]  Keys are severely limited in both length and complexity
[11:27.600 --> 11:30.540]  due to the mechanical nature of them.
[11:30.700 --> 11:34.240]  In a password, if it gets compromised, it's easy to change.
[11:34.240 --> 11:36.720]  And a key is very costly and time consuming.
[11:36.720 --> 11:39.220]  So what this means is with mechanical keys,
[11:39.220 --> 11:41.980]  things are harder for both the red team and the blue team.
[11:41.980 --> 11:43.620]  It's harder to brute force
[11:43.620 --> 11:45.740]  and try a whole bunch of combinations.
[11:45.820 --> 11:51.680]  But if a vulnerability is discovered by the red team,
[11:51.680 --> 11:53.060]  it's a lot harder for the blue team
[11:53.060 --> 11:55.860]  to actually mitigate it and work against that.
[11:57.360 --> 11:59.760]  To try brute force attack economically,
[11:59.760 --> 12:02.480]  if we look at just the cost of the blank,
[12:02.480 --> 12:05.100]  and we assume that if we own a code cutting machine,
[12:05.100 --> 12:08.180]  the marginal cost of cutting a new key on it
[12:08.180 --> 12:09.620]  is just your time.
[12:10.100 --> 12:12.860]  So keys are not particularly expensive in that case,
[12:12.860 --> 12:14.620]  between 13 cents and $3.
[12:14.900 --> 12:17.520]  And if you don't, you would have to use a locksmith
[12:17.520 --> 12:19.240]  who might do it for three to 10,
[12:19.240 --> 12:21.500]  possibly more for high security keys.
[12:21.500 --> 12:24.000]  So for instance, if we can reduce the key space
[12:24.000 --> 12:26.680]  of a given lock down to 1,000 possible keys,
[12:26.680 --> 12:28.300]  using the software that I showed you
[12:28.300 --> 12:30.960]  and applying rules that we're going to learn about soon,
[12:30.960 --> 12:36.320]  we might be able to try all of those 1,000 keys for $450.
[12:36.320 --> 12:40.000]  If we own a code machine, if the blanks are 45 cents each,
[12:40.000 --> 12:43.200]  if we have to go to a locksmith to get them cut,
[12:43.200 --> 12:46.520]  then he might charge $4 each for $4,000.
[12:46.920 --> 12:48.100]  And at that price,
[12:48.100 --> 12:50.260]  we're better off just buying our own code machine.
[12:51.780 --> 12:53.600]  What's important about this though,
[12:53.600 --> 12:56.280]  is that if whatever's being protected within that room
[12:56.280 --> 12:59.080]  is worth less than $4,000,
[12:59.080 --> 13:01.020]  it now becomes an economical attack
[13:01.020 --> 13:04.080]  to actually brute force all of these possible keys
[13:04.080 --> 13:05.800]  in the key space.
[13:06.300 --> 13:09.320]  One really good example of a lock where this is
[13:09.320 --> 13:12.020]  not just possible, but imminently feasible,
[13:12.020 --> 13:15.640]  is the Sargent and Greenleaf Environmental Padlock.
[13:15.640 --> 13:18.600]  It's a very well-built, beefy padlock
[13:18.600 --> 13:21.500]  meant for highly punishing outdoor environments.
[13:21.540 --> 13:24.720]  And there's very few small parts inside as well.
[13:24.720 --> 13:25.920]  It's a disc detainer lock,
[13:25.920 --> 13:27.120]  so it looks a bit different than the keys
[13:27.120 --> 13:28.520]  we've looked at so far,
[13:28.520 --> 13:30.760]  but we can analyze it exactly the same.
[13:30.760 --> 13:32.640]  It has three different discs
[13:33.060 --> 13:35.960]  and the key can be cut to either 180 degrees,
[13:35.960 --> 13:40.580]  as we see in the middle here, 135 or 90 degrees.
[13:40.580 --> 13:44.280]  So three discs and three different positions
[13:44.760 --> 13:46.920]  that each one can be cut to.
[13:47.660 --> 13:50.320]  Let's put that into our key space software.
[13:50.320 --> 13:51.940]  So get rid of those rules.
[13:51.940 --> 13:54.700]  And this is a disc detainer,
[13:55.260 --> 14:00.080]  one based with three discs and three possible depths each.
[14:00.080 --> 14:03.720]  And we see 27 is our total key space.
[14:03.720 --> 14:05.780]  That is everything that that Sargent
[14:05.780 --> 14:08.940]  and Greenleaf Environmental can possibly take on.
[14:10.260 --> 14:12.020]  And that's three to the third power.
[14:12.020 --> 14:12.740]  That makes sense.
[14:12.740 --> 14:15.480]  And we see them all enumerated here.
[14:16.280 --> 14:19.040]  It's a little bit more complicated than that,
[14:19.040 --> 14:21.920]  because if we insert this key
[14:21.920 --> 14:24.160]  and we turn it and open that lock,
[14:24.160 --> 14:27.120]  one design feature is that they want it to be key retaining.
[14:27.120 --> 14:29.640]  We can't pull the key out if the lock is open.
[14:29.700 --> 14:33.140]  If this were, say, cut 180, 180, 180,
[14:33.140 --> 14:36.400]  that would be possible to do, and we don't want that.
[14:36.680 --> 14:39.880]  So we actually want to remove all of these key combinations
[14:39.880 --> 14:41.620]  that would not be key retaining
[14:41.620 --> 14:44.260]  that we can pull that key out of the lock for.
[14:44.260 --> 14:46.400]  So 1, 1, 1 is no good.
[14:46.540 --> 14:49.960]  1, 1, 2 is no good because 2 is lower than 1.
[14:49.960 --> 14:52.120]  So it has to go up at least once.
[14:52.120 --> 14:53.840]  So 1, 2, 1 is good.
[14:54.300 --> 14:55.640]  1, 3, 1 is good.
[14:55.640 --> 14:57.780]  1, 3, 2 is, but 1, 3, 3 is not,
[14:57.780 --> 15:01.200]  because it doesn't go back up at least once throughout it.
[15:01.580 --> 15:04.220]  So we can add a rule for that under max and stuff.
[15:04.220 --> 15:06.340]  We can add a rule for key retaining,
[15:06.340 --> 15:09.400]  and that's going to reduce those,
[15:09.400 --> 15:12.640]  that key space to remove differs
[15:12.640 --> 15:14.840]  that are not going to be key retaining
[15:15.440 --> 15:17.340]  in this particular case.
[15:17.620 --> 15:20.040]  And so we can see now that there's more
[15:20.040 --> 15:22.260]  with a deeper cut in disc one
[15:22.260 --> 15:24.600]  and a shallower cut in disc three.
[15:24.600 --> 15:28.900]  And that's because if it steps down from 1, 2 to 3,
[15:28.900 --> 15:31.660]  that's not going to be key retaining.
[15:31.760 --> 15:35.960]  So we could create all 17 of these possible keys,
[15:35.960 --> 15:37.180]  and that might make sense
[15:37.180 --> 15:38.480]  because it'll work on all Sergeant
[15:38.480 --> 15:40.540]  and Greenleaf environmental locks.
[15:40.620 --> 15:42.480]  If we have, say, a budget limitation,
[15:42.480 --> 15:44.540]  and we don't want to pay for 17 blanks,
[15:44.540 --> 15:47.540]  which would be, we've put 41 here,
[15:47.540 --> 15:48.500]  it would actually be a bit more
[15:48.500 --> 15:50.360]  because these blanks are worth more,
[15:50.360 --> 15:52.860]  but this is just an order of magnitude calculation.
[15:53.200 --> 15:56.360]  We can click down here and click brute force save blanks,
[15:56.360 --> 15:57.500]  where it'll run a little algorithm
[15:57.500 --> 15:59.680]  to try to optimize for you,
[15:59.680 --> 16:02.040]  cutting one blank and then filing it down.
[16:02.040 --> 16:05.560]  So 1, 2, 1 follows 1, 3, 1 to 1, 3, 2, et cetera.
[16:05.760 --> 16:08.160]  And that way we can test out the entire key space
[16:08.160 --> 16:09.960]  in as few blanks as possible.
[16:09.960 --> 16:12.440]  This particular algorithm here,
[16:12.440 --> 16:14.120]  to find the optimal solution,
[16:14.120 --> 16:16.620]  turns out to be an NP complete problem.
[16:16.620 --> 16:21.120]  It ends up being reducible to the set cover problem,
[16:21.730 --> 16:25.560]  but we have a somewhat suboptimal greedy algorithm
[16:25.560 --> 16:27.100]  that I've implemented here,
[16:27.100 --> 16:29.220]  that empirically I found is good enough
[16:29.220 --> 16:32.180]  for getting us a decent algorithm
[16:32.630 --> 16:34.940]  of saving ourselves some blanks.
[16:34.940 --> 16:37.260]  So in this case, it goes from $41
[16:37.760 --> 16:41.520]  to get all 17 blanks down to just 12,
[16:41.520 --> 16:44.400]  since we only need five blanks now.
[16:44.420 --> 16:47.420]  So that's the Sargent Greenleaf Environmental Padlock.
[16:47.420 --> 16:49.900]  It's a very good padlock for what it's designed for.
[16:49.900 --> 16:53.320]  It's not really designed for security of the key space,
[16:53.320 --> 16:54.620]  and that's okay.
[16:54.620 --> 16:57.220]  It was used for a number of years
[16:57.220 --> 16:58.840]  back before people knew this.
[16:58.840 --> 17:01.580]  And so it sort of benefited from security by obscurity.
[17:01.580 --> 17:03.400]  But for that reason,
[17:03.400 --> 17:05.100]  this particular lock is not used
[17:05.100 --> 17:08.000]  for high security applications anymore.
[17:08.540 --> 17:09.960]  So let's shift gears a little bit
[17:09.960 --> 17:13.940]  and look at locks where we can try the entire key space,
[17:13.940 --> 17:16.680]  not by reducing possible differs,
[17:16.680 --> 17:18.920]  but by trying multiple at once.
[17:19.040 --> 17:22.100]  So this is the Kwikset Smart Key Lock.
[17:22.100 --> 17:23.360]  It's smart key, so to speak,
[17:23.360 --> 17:25.740]  because it has this hole you can insert a special tool
[17:25.740 --> 17:28.920]  to rekey the lock without ever taking it apart.
[17:28.920 --> 17:30.600]  Kind of a cool design.
[17:30.600 --> 17:32.180]  Unfortunately, it's manufactured
[17:32.180 --> 17:34.700]  with extremely loose tolerances.
[17:35.100 --> 17:38.620]  And what that allows is us to actually try half heights.
[17:38.880 --> 17:41.200]  So normally, if you have a one cut
[17:41.200 --> 17:43.940]  in a particular pin position,
[17:44.460 --> 17:46.100]  that will work if the pin is a one
[17:46.100 --> 17:47.920]  or a two will work for two.
[17:47.920 --> 17:50.060]  What this lets you do is cut it to one and a half,
[17:50.060 --> 17:52.940]  and that will work for both a one and a two.
[17:54.500 --> 17:56.420]  So by allowing us to do that,
[17:56.420 --> 18:01.580]  we can reduce it down to 200 and some odd possibilities.
[18:01.580 --> 18:07.080]  So let's simulate that in our Keyspace software here.
[18:07.080 --> 18:10.680]  So Kwikset locks, so it has five pins and six depths.
[18:10.680 --> 18:16.100]  And then six to the five is 7,700, as we looked at before,
[18:16.100 --> 18:18.860]  when we have to try all of one through six.
[18:18.920 --> 18:20.300]  When half heights work though,
[18:20.300 --> 18:22.620]  it turns into three to the five,
[18:22.620 --> 18:25.820]  because we can use 1.5, 3.5, and 5.5
[18:25.820 --> 18:28.760]  to try everything from one to six.
[18:28.960 --> 18:30.680]  And so we can see here that trying out
[18:30.680 --> 18:32.880]  all of these half height keys
[18:32.880 --> 18:34.500]  to exhaust the entire Keyspace
[18:34.500 --> 18:38.220]  would cost about $500 to make all of them.
[18:38.480 --> 18:42.800]  And there actually exists commercial sets you can buy
[18:42.800 --> 18:44.900]  that costs on that order as well
[18:45.740 --> 18:49.080]  to try all of these different options.
[18:49.080 --> 18:51.600]  So that is something that's out there
[18:51.600 --> 18:54.560]  for the Kwikset keys,
[18:54.560 --> 18:57.000]  the Kwikset SmartKey in particular.
[18:57.000 --> 19:00.380]  And that is something that usually
[19:00.380 --> 19:02.500]  wouldn't be your go-to attack methodology
[19:02.500 --> 19:04.240]  because the Kwikset SmartKey,
[19:04.240 --> 19:09.480]  by virtue of those loose tolerances, is easy to pick.
[19:09.540 --> 19:12.560]  But if you wanted to use it to, say,
[19:12.560 --> 19:14.040]  determine the key for one lock,
[19:14.040 --> 19:16.600]  and then you could get in very quickly in future,
[19:16.600 --> 19:20.540]  or if you had multiple locks
[19:20.540 --> 19:21.900]  that you know are all keyed alike,
[19:21.900 --> 19:23.240]  once you figure out the key for one,
[19:23.240 --> 19:24.540]  it's going to work for the rest.
[19:24.540 --> 19:26.300]  That's something that you can do.
[19:26.300 --> 19:28.560]  Let's examine for a few minutes
[19:29.300 --> 19:31.320]  why this actually works
[19:31.320 --> 19:34.260]  and why locks sometimes accept keys
[19:34.260 --> 19:36.800]  that are cut incorrectly.
[19:37.020 --> 19:39.280]  So in this particular case,
[19:39.280 --> 19:42.520]  we have a set of probability distributions.
[19:42.520 --> 19:46.840]  So this is the one cut, two, three, four to six
[19:47.720 --> 19:50.500]  for a Kwikset lock.
[19:50.740 --> 19:54.280]  And we can notice that this is where it's supposed to be,
[19:54.280 --> 19:55.540]  where it's supposed to be cut at.
[19:55.540 --> 19:58.540]  And if we're a little bit above that or below that,
[19:58.540 --> 20:01.200]  the probability falls off relatively slowly
[20:01.760 --> 20:05.180]  so that if we go exactly between two cuts,
[20:05.180 --> 20:07.020]  it still has a very high chance
[20:07.020 --> 20:10.700]  of actually working on either the lower or the upper.
[20:11.020 --> 20:14.600]  This distribution here, a fairly normal looking one,
[20:15.140 --> 20:18.020]  exists because the Kwikset smart key lock
[20:18.020 --> 20:20.760]  is a type of wafer tumbler.
[20:20.760 --> 20:23.980]  So wafers are symmetric in what they'll actually accept.
[20:23.980 --> 20:28.160]  And it's also one with very bad tolerances.
[20:28.580 --> 20:31.360]  If we pump that down a little bit,
[20:31.680 --> 20:35.140]  we start to get it accepting less and less.
[20:35.140 --> 20:37.680]  And so a lower probability of actually having a key
[20:37.680 --> 20:40.600]  that's cut halfway in between work.
[20:40.880 --> 20:43.760]  And we can also look at what happens
[20:43.760 --> 20:45.200]  with a pin tumbler lock.
[20:45.200 --> 20:48.780]  In particular, when we have pins involved,
[20:48.780 --> 20:51.960]  it becomes a much faster fall off
[20:52.760 --> 20:55.260]  when the key is cut too high.
[20:55.260 --> 20:59.460]  And the reason for that is because if we look at
[21:00.500 --> 21:05.020]  what a pin tumbler lock looks like on the inside,
[21:05.020 --> 21:07.500]  if that pin is too high,
[21:07.500 --> 21:11.740]  it's going to stick out above this core here.
[21:11.740 --> 21:14.100]  And when it sticks out above that core,
[21:14.100 --> 21:18.340]  it is now physically blocked by the housing.
[21:18.340 --> 21:21.700]  It needs to stick up into this.
[21:21.700 --> 21:24.020]  And we cannot turn that core at all
[21:24.620 --> 21:27.680]  if it's more than one or two thousands of an inch too high.
[21:27.840 --> 21:31.040]  So both the fall off on the probability distribution
[21:31.560 --> 21:33.660]  is significantly faster,
[21:33.660 --> 21:36.360]  as well as the amount too high it can be
[21:36.360 --> 21:41.080]  before it starts falling off is also significantly lower.
[21:41.080 --> 21:43.000]  Whoops, that was the wrong slider there.
[21:43.100 --> 21:46.220]  And so we get a probability distribution
[21:46.220 --> 21:49.960]  that looks something a lot more like this
[21:49.960 --> 21:52.020]  for a pin tumbler lock.
[21:52.020 --> 21:54.740]  So this would be a quick set probability distribution
[21:54.740 --> 21:59.200]  for accepting a one cut key.
[21:59.200 --> 22:01.480]  So if it's a little bit too high, it falls off quickly.
[22:01.480 --> 22:03.560]  If it's a bit low, it works out okay.
[22:03.560 --> 22:06.480]  And then two through six as well.
[22:07.840 --> 22:11.300]  In the case of a Schlage, we have 10 cuts
[22:11.300 --> 22:13.920]  and they're much more closely spaced together.
[22:14.040 --> 22:16.420]  So now we have, even though it's a pin tumbler lock,
[22:16.420 --> 22:18.340]  which generally has better tolerances,
[22:18.340 --> 22:22.680]  now we have a much higher probability of it working
[22:22.680 --> 22:27.220]  if we are somewhat between these two positions.
[22:27.220 --> 22:30.020]  As that Schlage lock gets worn out,
[22:30.020 --> 22:33.540]  that increases as well significantly.
[22:33.540 --> 22:38.560]  So a very worn out pin tumbler lock will now accept,
[22:38.560 --> 22:40.760]  even if it's a full height below,
[22:40.760 --> 22:44.140]  it'll still let it work a lot easier.
[22:44.140 --> 22:46.660]  The way that that actually happens
[22:47.100 --> 22:51.880]  is if we look at a lock here and we cut one height too low,
[22:51.880 --> 22:54.380]  we can see that as that key jiggles
[22:54.380 --> 22:57.100]  and moves in and out of the lock a little bit,
[22:57.100 --> 22:59.980]  it only has to bump this driver pin up a tiny bit
[22:59.980 --> 23:03.160]  for it to actually get lodged in the housing
[23:03.160 --> 23:05.220]  and allow this key to turn.
[23:05.300 --> 23:07.220]  And so that's something that does not have
[23:07.220 --> 23:10.000]  this hard mechanical constraint of housing.
[23:10.000 --> 23:11.800]  It just has to bump up a bit.
[23:11.800 --> 23:13.720]  And that's why if a key is cut too low
[23:13.720 --> 23:15.100]  for a pin tumbler lock,
[23:15.100 --> 23:18.760]  it's a lot more permissive for what it will actually allow.
[23:18.820 --> 23:21.440]  So for a very worn Schlage lock,
[23:21.440 --> 23:23.540]  these are very close together.
[23:23.540 --> 23:25.420]  And so being close together means that
[23:26.800 --> 23:30.420]  the probability distributions overlap by a lot,
[23:30.420 --> 23:33.340]  as well as it's quite wide in a worn lock.
[23:33.340 --> 23:37.160]  We get it to be somewhat permissive as well
[23:37.160 --> 23:38.720]  for what it will accept.
[23:42.410 --> 23:44.730]  So that's lock tolerances.
[23:44.730 --> 23:46.990]  That's sort of an interesting aside there.
[23:46.990 --> 23:49.730]  This particular mathematical model that we've derived
[23:49.730 --> 23:53.470]  is from both theoretical and then empirical confirmation
[23:54.650 --> 23:57.390]  that this is actually how locks behave
[23:57.390 --> 24:00.550]  when the keys are slightly too high and too low.
[24:00.550 --> 24:02.850]  And this is of course an n-dimensional distribution
[24:02.850 --> 24:04.350]  where there are n pins.
[24:04.350 --> 24:07.430]  So what I was showing here is a slight simplification
[24:07.910 --> 24:09.330]  of that.
[24:09.830 --> 24:13.410]  So 243 keys is possible to brute force,
[24:13.410 --> 24:16.710]  but not practical in many situations.
[24:16.710 --> 24:18.870]  So what can we do to actually reduce
[24:18.870 --> 24:20.410]  that key space even further?
[24:20.410 --> 24:21.770]  One thing we can possibly do
[24:21.770 --> 24:24.310]  is get a photograph of that key.
[24:24.310 --> 24:26.470]  So oftentimes you see security guards
[24:26.470 --> 24:28.610]  and users leaving keys lying out on the desk
[24:28.610 --> 24:29.970]  in the public view.
[24:29.970 --> 24:32.010]  This is one of the most egregious cases
[24:32.010 --> 24:34.870]  of these key watchers with transparent windows
[24:35.430 --> 24:37.970]  behind a publicly accessible desk
[24:37.970 --> 24:39.790]  with the facility's keys visible
[24:39.790 --> 24:42.330]  and photographable through that.
[24:42.610 --> 24:44.190]  And of course, people like to wear keys
[24:44.190 --> 24:45.190]  on their belt as well,
[24:45.190 --> 24:47.270]  and that can be photographed as well.
[24:47.350 --> 24:49.330]  If you can get a good enough photograph,
[24:49.330 --> 24:52.530]  you can superimpose these depth and spacing lines
[24:52.530 --> 24:54.630]  and determine directly from the photo
[24:54.630 --> 24:56.290]  what that key code is.
[24:56.290 --> 24:58.610]  And this is something that I've got another talk coming
[24:58.610 --> 25:00.710]  in the next year or so about,
[25:00.710 --> 25:01.990]  all about how to do this
[25:01.990 --> 25:05.310]  and how to work with poor quality photographs
[25:06.010 --> 25:08.830]  and releasing software to do this as well.
[25:08.830 --> 25:10.750]  But that's not this talk.
[25:11.410 --> 25:16.830]  What happens though if that photograph is not great quality
[25:17.290 --> 25:18.950]  and how can we use other information
[25:18.950 --> 25:21.290]  to help deduce what it is?
[25:21.290 --> 25:24.270]  So here's an example of a vehicle key
[25:24.270 --> 25:26.510]  that's left on a desk photographed
[25:26.510 --> 25:28.750]  at a distance of about 10 feet.
[25:28.990 --> 25:31.510]  We can try zooming in, but that doesn't do much for us.
[25:31.510 --> 25:32.870]  This is incredibly grainy.
[25:32.870 --> 25:35.630]  There is not a whole lot that we can tell from it.
[25:35.630 --> 25:37.450]  So what can we do?
[25:37.890 --> 25:42.930]  So let's first recognize that this is a Ford vehicle key.
[25:43.110 --> 25:44.930]  And by looking it up,
[25:44.930 --> 25:49.890]  we can find that it is eight positions
[25:49.890 --> 25:53.450]  by five possible depths.
[25:54.150 --> 25:58.490]  And it is a wafer tumbler lock.
[25:58.890 --> 26:01.530]  And of course, Half-Lights will visit
[26:01.530 --> 26:03.530]  in a few minutes about this.
[26:03.530 --> 26:05.230]  We will come back to that.
[26:05.230 --> 26:09.930]  But we have naively now 390,000 possible key differs
[26:09.930 --> 26:11.990]  for this particular key.
[26:12.190 --> 26:15.210]  Based on the photo, we can't get a whole lot,
[26:15.210 --> 26:16.650]  but we can get something from it.
[26:16.650 --> 26:19.010]  So we can go on over to our photos tab here
[26:19.930 --> 26:23.590]  and add a rule, basically looking at that picture
[26:23.590 --> 26:26.270]  and saying, well, we know that one pin
[26:26.270 --> 26:28.070]  is a little bit high cut, one is low,
[26:28.070 --> 26:31.790]  and see if we can narrow it down a little bit from there.
[26:32.370 --> 26:34.330]  So we have eight pins here.
[26:34.330 --> 26:36.950]  We can see in the middle,
[26:36.950 --> 26:39.810]  these two, this is number four and five,
[26:39.810 --> 26:44.310]  are lining up with the top blank height.
[26:44.350 --> 26:47.310]  So this four and five, we can be relatively confident
[26:47.310 --> 26:50.690]  even from this poor quality picture is a one cut.
[26:50.730 --> 26:54.010]  And then six, seven, eight is beyond that.
[26:54.010 --> 26:55.750]  Six is fairly deep.
[26:55.950 --> 26:59.190]  It looks to be a three or deeper,
[26:59.190 --> 27:00.370]  but it's not the deepest
[27:00.370 --> 27:02.270]  because we have one that's deeper here.
[27:02.270 --> 27:03.690]  So this is a three or a four.
[27:04.050 --> 27:07.030]  And then beyond that, it's fairly shallow.
[27:07.030 --> 27:09.550]  It might be a one, it might be a two.
[27:09.550 --> 27:12.250]  It's likely not a three or anything deeper than that.
[27:12.250 --> 27:15.830]  So we can start adding those rules in.
[27:15.830 --> 27:19.750]  So four and five are both one cuts.
[27:19.830 --> 27:24.510]  Six is fairly deep, but not the deepest.
[27:24.590 --> 27:28.630]  And then seven and eight are fairly high cut,
[27:28.630 --> 27:31.350]  but we don't know exactly what.
[27:31.410 --> 27:32.930]  Popping back to our picture
[27:32.930 --> 27:35.210]  and looking at the first few pins,
[27:35.210 --> 27:36.370]  we see one, two, and three
[27:36.370 --> 27:38.350]  kind of make this bite pattern here.
[27:39.150 --> 27:42.390]  So this pin two is fairly deep.
[27:42.390 --> 27:44.270]  We don't know if it's the absolute deepest,
[27:44.270 --> 27:46.630]  but it's say a three, four, or a five.
[27:46.690 --> 27:49.830]  And then pin three, well, we know it's not the shallowest.
[27:49.830 --> 27:50.810]  We know it's not the deepest.
[27:50.810 --> 27:52.370]  That's about all we can tell.
[27:52.790 --> 27:55.450]  And pin one, well, we know it's fairly shallow.
[27:55.530 --> 27:59.030]  So we can add that here as well.
[27:59.030 --> 28:01.630]  So pin two is quite deep, a three, four, or five.
[28:01.630 --> 28:04.950]  Pin three, we know it's not the shallowest or the deepest.
[28:04.970 --> 28:07.630]  And pin one is quite shallow.
[28:07.790 --> 28:09.970]  And we can add that rule here.
[28:10.130 --> 28:13.610]  And we now get this 390,000 possibilities
[28:13.610 --> 28:15.670]  reduced to 216.
[28:15.750 --> 28:20.730]  That's pretty good, but that's still a lot to try.
[28:20.730 --> 28:22.850]  The other thing that we can look at doing
[28:22.850 --> 28:25.490]  is recognizing that this system
[28:25.490 --> 28:28.970]  is actually on what's called code books.
[28:28.970 --> 28:32.190]  So this particular type of Ford key
[28:33.050 --> 28:36.910]  is one of only a few different differs
[28:36.910 --> 28:41.870]  that will be manufactured, not all 390,000 possible ones.
[28:42.350 --> 28:46.630]  And that's just done to make keying the locks up
[28:46.630 --> 28:49.090]  easier at the factory effectively.
[28:49.130 --> 28:52.750]  So we can add a rule for that as well under code books.
[28:52.750 --> 28:57.030]  This is a Ford fleet keying system.
[28:57.030 --> 29:00.790]  And by adding that, we now see that there's only one key
[29:00.790 --> 29:02.810]  that's actually in the code books
[29:02.810 --> 29:05.630]  that follows these rules that we determined.
[29:05.730 --> 29:08.590]  And that's the 0151X.
[29:09.070 --> 29:11.810]  And so getting a better picture,
[29:11.810 --> 29:13.970]  if we're able to come back and get one,
[29:13.970 --> 29:16.810]  we would see that it is indeed an 0151X
[29:16.810 --> 29:18.190]  that we were photographing.
[29:18.190 --> 29:20.870]  And we can see now from this much better picture,
[29:20.870 --> 29:22.430]  we can read off the code.
[29:22.570 --> 29:26.150]  So we have a two cut here, it's slightly below the blank,
[29:26.150 --> 29:28.870]  followed by a very deep, this is a four or a five,
[29:28.870 --> 29:32.670]  followed by three, one, one, three, two, two.
[29:32.790 --> 29:36.170]  And so we can see from looking at it here
[29:36.170 --> 29:41.250]  that that is indeed what we found for this particular key.
[29:41.250 --> 29:43.590]  So that is a combination of both
[29:43.590 --> 29:47.330]  the photograph limitations that we found,
[29:47.330 --> 29:50.370]  as well as knowing that it must be in the code books.
[29:50.530 --> 29:51.630]  So if you remove this rule,
[29:51.630 --> 29:52.750]  we can see that the code books
[29:52.750 --> 29:55.970]  actually only have 1,700 possibilities.
[29:55.970 --> 29:58.270]  And that gives us a lot of narrowing down
[29:58.270 --> 30:00.890]  of what that particular key can be.
[30:00.890 --> 30:03.350]  And in pin eight, it can never be a one depth
[30:03.350 --> 30:07.250]  because it starts to taper off at the tip of the key there.
[30:07.250 --> 30:10.710]  So a one will not physically fit on that key.
[30:11.350 --> 30:12.730]  So that's sort of a cool example
[30:13.370 --> 30:16.750]  of combining code books with photographs
[30:17.230 --> 30:21.450]  to determine what a key's final code is.
[30:21.970 --> 30:24.630]  We can also combine it with these half heights
[30:24.630 --> 30:26.750]  that we talked about before.
[30:26.750 --> 30:29.050]  So if half heights are available
[30:29.050 --> 30:32.570]  for this particular type of key,
[30:32.570 --> 30:34.550]  if cutting it halfway between a one and a two
[30:34.550 --> 30:36.670]  will work for both a one and a two,
[30:36.670 --> 30:38.630]  we can see the effect that would have,
[30:38.630 --> 30:42.910]  and that would reduce it from 1,700 possibilities to 460
[30:43.350 --> 30:45.890]  that would try out all possible locks
[30:45.890 --> 30:49.030]  that would be manufactured based on these code books.
[30:49.250 --> 30:51.250]  And for many vehicle locks,
[30:51.250 --> 30:52.610]  because they're wafer tumblers,
[30:52.610 --> 30:54.770]  they have relatively loose tolerances,
[30:54.770 --> 30:56.250]  that is actually the case.
[30:56.250 --> 31:00.210]  You have both code books and half heights will work.
[31:00.210 --> 31:03.110]  And so you have many of what's called try out key sets
[31:03.110 --> 31:04.670]  for vehicle locks,
[31:04.670 --> 31:08.150]  which is a number of keys that will try out
[31:08.810 --> 31:12.210]  most or all of the code book keys that are possible
[31:12.750 --> 31:15.550]  that will let you then determine what key is used
[31:15.550 --> 31:19.770]  in a particular vehicle or a particular fleet of vehicles.
[31:20.550 --> 31:25.330]  Auto jigglers are sort of the next stage down from that.
[31:25.330 --> 31:27.570]  And so they are not keys at all.
[31:27.570 --> 31:30.390]  They allow you to move them up and down and angle them
[31:30.390 --> 31:32.590]  and sort of do some fuzzing
[31:32.590 --> 31:35.590]  to try even more combinations quickly.
[31:35.590 --> 31:38.210]  And the high quality auto jigglers
[31:38.210 --> 31:40.630]  were somewhat intelligently designed
[31:40.970 --> 31:44.570]  to be effectively these try out key sets,
[31:44.570 --> 31:47.530]  except adding that degree of freedom
[31:47.530 --> 31:51.210]  for up, down, in, out, tilt, tilt,
[31:51.210 --> 31:54.310]  so that we have rather than just,
[31:54.310 --> 31:56.290]  or rather than 80 or 400,
[31:56.290 --> 31:58.910]  we have only 10 of them that can work on
[31:58.910 --> 32:01.350]  many, many automotive locks
[32:01.350 --> 32:03.850]  and not manufacturer specific either.
[32:03.850 --> 32:07.050]  And of course, further down that continuum is raking,
[32:07.050 --> 32:09.350]  which works in a similar way.
[32:09.350 --> 32:11.430]  So what happens if we don't have a key to photograph
[32:11.430 --> 32:13.410]  or other information like that?
[32:13.410 --> 32:16.650]  Well, then we can decode by looking at the lock itself.
[32:16.650 --> 32:18.190]  So here's sort of a funny example
[32:18.190 --> 32:20.390]  where the key pin is visible in its entirety
[32:20.390 --> 32:22.070]  through the front of the lock.
[32:22.070 --> 32:24.030]  And so from this, we can tell the length of the key pin
[32:24.030 --> 32:27.050]  and therefore the depth of the first cut on that key.
[32:27.110 --> 32:30.290]  We can look deeper in the lock using this device here,
[32:30.290 --> 32:31.570]  which is called a lock scope.
[32:31.570 --> 32:33.430]  So it's like the autoscopes that are used
[32:33.430 --> 32:36.390]  to look into your ear at the doctor's office.
[32:36.390 --> 32:39.590]  And they shine light through the back of this lock.
[32:39.590 --> 32:41.830]  And we can see then every pin through it
[32:41.830 --> 32:44.190]  with a little magnifier that's inside of it.
[32:44.390 --> 32:45.850]  So this is cool.
[32:45.850 --> 32:47.550]  We can't tell a whole lot from this.
[32:47.550 --> 32:48.910]  Wouldn't it be nice if just by looking
[32:48.910 --> 32:49.830]  at the bottom of the pins,
[32:49.830 --> 32:51.670]  we could actually tell how long they were
[32:51.670 --> 32:53.710]  in terms of their total length?
[32:54.070 --> 32:56.990]  Well, enter colored painting kits.
[32:57.470 --> 33:00.210]  I kid you not, and they are colored,
[33:00.210 --> 33:02.690]  I kid you not, by length.
[33:02.810 --> 33:05.730]  So by seeing the color of the pins
[33:05.730 --> 33:07.830]  that we actually look at in this lock scope,
[33:07.830 --> 33:10.390]  we can tell how long our key pins are
[33:10.390 --> 33:13.070]  and therefore the key code.
[33:13.810 --> 33:18.350]  So that last picture was a locksmith's rekeying version.
[33:18.350 --> 33:21.290]  This is for an end user and we see colored pins as well.
[33:21.290 --> 33:23.090]  It makes it a little bit easier to use,
[33:23.090 --> 33:25.490]  but you can read the pins from that.
[33:25.730 --> 33:28.590]  So here's an example of looking down a sergeant lock
[33:28.590 --> 33:30.110]  with that lock scope.
[33:30.110 --> 33:34.310]  And we can see there's gold, green, gold, green, gold.
[33:34.310 --> 33:35.550]  It's a little hard to see at the end,
[33:35.550 --> 33:38.210]  but that's a purple pin at the very end.
[33:38.730 --> 33:40.750]  Looking at the sergeant chart,
[33:40.750 --> 33:42.390]  we can see that a gold bottom pin
[33:42.390 --> 33:45.310]  must be a one, four, seven, or zero,
[33:45.310 --> 33:48.510]  which is what sergeant calls its 10 depth.
[33:48.510 --> 33:52.390]  Green is three, six, nine,
[33:52.390 --> 33:55.330]  and purple is two, five, eight.
[33:55.330 --> 33:57.490]  So based on that, we can actually go ahead
[33:57.490 --> 34:00.810]  and severely limit what the key could possibly be
[34:00.810 --> 34:03.410]  for this particular system.
[34:03.650 --> 34:08.530]  This is a sergeant system, it has six pins and 10 depths,
[34:08.530 --> 34:11.010]  and we use one base numbering.
[34:11.870 --> 34:14.010]  And we'll go ahead, and under photos,
[34:14.010 --> 34:16.350]  we can add that particular rule.
[34:16.490 --> 34:19.430]  And so we tell it that it is a sergeant system
[34:19.430 --> 34:27.110]  and that we have gold, green, gold, green, gold, purple.
[34:27.110 --> 34:29.450]  And that reduces our key space from a million
[34:29.450 --> 34:31.710]  down to 1728.
[34:31.990 --> 34:33.410]  It's worth noting, incidentally,
[34:33.410 --> 34:35.290]  that half height is not gonna help us here,
[34:35.290 --> 34:37.810]  even if this lock accepts it, which it doesn't,
[34:37.810 --> 34:40.630]  because half height would not be able to try
[34:40.630 --> 34:43.310]  both of two combinations three apart.
[34:43.310 --> 34:45.650]  And so we get 1728 as well,
[34:45.650 --> 34:48.150]  with just a slightly squished chart there.
[34:48.670 --> 34:51.570]  So this is not bad, it's a lot better than a million,
[34:51.570 --> 34:53.090]  but we need to do a bit better than that
[34:53.090 --> 34:55.170]  to get a single working key.
[34:55.470 --> 34:58.690]  One thing we can notice is that if this pin one is a zero,
[34:58.690 --> 35:00.770]  then pin two cannot be a nine,
[35:00.770 --> 35:02.470]  that would be a max violation.
[35:02.590 --> 35:04.670]  So sergeant has a max of seven.
[35:04.670 --> 35:07.610]  We can go ahead and add that on in there.
[35:07.830 --> 35:09.810]  And so now we've reduced to 1166,
[35:09.810 --> 35:11.430]  that's getting a little bit better.
[35:11.690 --> 35:12.850]  What else can we do?
[35:12.850 --> 35:14.890]  Well, remember looking at this lock,
[35:14.890 --> 35:16.750]  we have this shear line visible.
[35:16.770 --> 35:19.390]  And so that tells us that this is a zero cut
[35:20.010 --> 35:22.550]  in this particular position.
[35:22.550 --> 35:28.910]  So a very high cut depth on that key.
[35:29.070 --> 35:31.410]  We can go further and use a lock pick
[35:31.410 --> 35:34.150]  to lift up that first pin and look at the second
[35:34.150 --> 35:36.250]  to see if we can see something similar.
[35:36.290 --> 35:38.110]  And we don't, but...
[35:38.110 --> 35:40.070]  So here's the lock pick in there.
[35:40.090 --> 35:42.590]  But on the third pin, we do.
[35:42.590 --> 35:47.030]  We can see a shear line at that same position
[35:47.030 --> 35:49.670]  telling us that that third pin is also a one cut.
[35:49.670 --> 35:52.050]  And we can continue backwards through the lock,
[35:52.050 --> 35:54.370]  seeing that there are not any visible shear lines
[35:54.370 --> 35:55.750]  beyond that.
[35:56.090 --> 36:00.450]  So how does that apply to the lock that we have here?
[36:00.590 --> 36:02.410]  Well, we can go to known shear lines
[36:02.410 --> 36:05.450]  and we know that pin one has a one as a shear line,
[36:05.450 --> 36:06.690]  pin three has a one.
[36:06.690 --> 36:07.930]  We can add that rule.
[36:07.930 --> 36:10.890]  And now that severely limits our key space down to 44.
[36:11.290 --> 36:13.290]  Moreover, because we looked all the way back,
[36:13.290 --> 36:16.530]  we know that pin five does not have a shear line at one.
[36:16.530 --> 36:20.390]  So it's only possibilities are four, seven, and 10.
[36:20.830 --> 36:24.490]  So we can put that into there.
[36:25.250 --> 36:28.250]  And now we're down to 32 different keys.
[36:28.250 --> 36:30.730]  This is something that's very brute forcible.
[36:30.730 --> 36:33.130]  It's easy to make 32 and try it.
[36:33.130 --> 36:35.990]  That'll cost us about $10 and take three minutes
[36:35.990 --> 36:37.890]  to try 32 keys out.
[36:37.890 --> 36:40.810]  Not bad, but we can do better than that.
[36:40.810 --> 36:43.150]  And the way we can do better than that is impressioning
[36:43.150 --> 36:45.490]  in particular with this extra information
[36:45.490 --> 36:47.150]  that's available to us.
[36:47.710 --> 36:50.310]  Before we talk about how to impression this particular lock
[36:50.310 --> 36:51.710]  with extra information,
[36:51.710 --> 36:54.150]  let's talk a little bit about how impressioning works
[36:54.150 --> 36:55.290]  in general.
[36:55.550 --> 37:00.290]  So we put the key in, we put a blank key in.
[37:00.290 --> 37:03.470]  We cut all zero-bidded, the highest possible cuts.
[37:03.690 --> 37:06.050]  And when we turn the key, there's a couple pins that bind
[37:06.050 --> 37:08.330]  that don't let the lock turn.
[37:08.350 --> 37:11.030]  If we turn it really, really hard,
[37:11.030 --> 37:14.330]  then those pins are going to bind really, really hard.
[37:14.330 --> 37:16.790]  And if we then wiggle the key in and out,
[37:16.790 --> 37:18.130]  up and down a little bit,
[37:18.130 --> 37:20.430]  those pins that are binding really hard
[37:20.430 --> 37:22.350]  are gonna leave a mark on the key
[37:22.350 --> 37:25.010]  that we can then look at.
[37:25.490 --> 37:27.190]  So if we impression this,
[37:27.190 --> 37:30.430]  one of these pins that's binding is gonna leave a mark.
[37:30.630 --> 37:32.830]  Can we take the key out and look at that mark
[37:32.830 --> 37:34.870]  and see it's in position two?
[37:35.110 --> 37:37.390]  So cut two is not a zero cut,
[37:37.390 --> 37:39.590]  because if it were, if that were a shear line,
[37:39.590 --> 37:41.010]  then the pin would not have bound,
[37:41.010 --> 37:42.430]  wouldn't have left that mark.
[37:42.590 --> 37:45.910]  So we cut it down, put the key in and impression again.
[37:46.090 --> 37:48.870]  And we take it out and we see now there's no more mark
[37:48.870 --> 37:50.830]  on pin two, but there's one on pin four,
[37:50.830 --> 37:52.670]  which tells us that pin four is binding.
[37:52.670 --> 37:53.910]  It's not a zero.
[37:53.910 --> 37:57.050]  We cut it down and we repeat the process.
[37:57.550 --> 38:00.270]  And so pin four is still leaving an impression mark.
[38:00.410 --> 38:03.650]  So we file it down one more time, impression it,
[38:03.650 --> 38:06.210]  take it out, pin four is still leaving an impression mark,
[38:06.210 --> 38:09.730]  file it down one more time, take it out, impression it.
[38:09.730 --> 38:12.290]  And now we see that pin five is the only one binding.
[38:12.290 --> 38:14.450]  So pin four has stopped leaving an impression mark
[38:14.450 --> 38:16.390]  and pin five is now.
[38:16.430 --> 38:19.190]  So we know it's not a zero cut, we file it down
[38:19.190 --> 38:21.750]  and then we're going to repeat that process,
[38:21.750 --> 38:25.810]  until when we try to impression and it's the right code,
[38:25.810 --> 38:28.050]  the lock is just going to open.
[38:28.590 --> 38:30.250]  So that's how impressioning works in general,
[38:30.250 --> 38:34.050]  starting from a blank and ending with any particular lock
[38:34.610 --> 38:36.830]  or with a key for that particular lock.
[38:36.830 --> 38:41.250]  One piece of software that I'm releasing a modification
[38:41.250 --> 38:43.350]  of this is a little game that you can try.
[38:43.350 --> 38:45.750]  So you put it in and you could make the lock visible
[38:45.750 --> 38:48.490]  or not as you see fit, impression it
[38:48.490 --> 38:50.470]  and take the key back out again.
[38:50.470 --> 38:52.850]  And then you can sort of practice your impressioning
[38:52.850 --> 38:55.590]  that way until you eventually get the key for it.
[38:55.590 --> 38:57.270]  So that's something you might enjoy.
[38:57.330 --> 38:58.770]  But let's look at how that applies
[38:58.770 --> 39:01.210]  to this particular system here.
[39:01.730 --> 39:04.150]  If we wanted to impression this lock,
[39:04.150 --> 39:06.430]  so let's start by creating a lock here.
[39:07.070 --> 39:09.430]  We don't actually need to start with a blank
[39:09.430 --> 39:13.350]  because if we look at our key space,
[39:13.510 --> 39:17.090]  a one, one, one, et cetera, cannot possibly be the code.
[39:17.090 --> 39:20.470]  The highest cut our code can be is one, three,
[39:20.470 --> 39:22.870]  one, three, four, two.
[39:23.190 --> 39:25.910]  And in our impressioning tab, it tells us that.
[39:25.910 --> 39:27.730]  So that's what we actually wanna start
[39:28.230 --> 39:29.870]  by cutting our key to.
[39:29.870 --> 39:31.730]  One, three, one, three, four, two.
[39:31.910 --> 39:34.110]  And we put it into the lock.
[39:34.330 --> 39:36.950]  Now this lock, to give it a couple examples
[39:36.950 --> 39:41.470]  for what our actual code is inside the lock
[39:41.470 --> 39:46.330]  might be a one, six, one, three,
[39:48.470 --> 39:50.670]  four, eight.
[39:51.630 --> 39:54.490]  So that's what the key is we're ultimately searching for,
[39:54.490 --> 39:56.250]  but of course we don't know that yet.
[39:56.810 --> 40:00.050]  So we're gonna impression this key and take it out.
[40:00.050 --> 40:03.270]  And we see that position two is binding.
[40:03.390 --> 40:07.570]  So position two is not actually the correct cut.
[40:08.010 --> 40:10.110]  And so what we'll do is scroll on up
[40:10.650 --> 40:13.870]  and say that pin two is not at depth three.
[40:13.870 --> 40:16.430]  It's not at depth three because it was cut to depth three
[40:16.430 --> 40:18.010]  and it's leaving an impression mark.
[40:18.010 --> 40:19.350]  So we'll add that rule.
[40:19.350 --> 40:22.310]  That's telling us to try a six next.
[40:22.310 --> 40:23.850]  And we know a six is going to work
[40:23.850 --> 40:26.990]  because it's the only position left that pin two can be.
[40:27.270 --> 40:29.810]  So our impression mark should show up somewhere else.
[40:29.810 --> 40:32.630]  So we're gonna file our key down to a six depth,
[40:32.630 --> 40:37.090]  put it in and impression it and take it out again.
[40:37.090 --> 40:39.990]  And we now see that pin five is binding
[40:39.990 --> 40:42.550]  and pin five is now leaving a mark.
[40:42.550 --> 40:46.930]  So we can scroll on up and tell it that pin five,
[40:46.930 --> 40:51.650]  which was cut to a two has, sorry, not pin five,
[40:51.650 --> 40:53.710]  my apologies, pin six, the last pin.
[40:54.090 --> 40:57.450]  So pin six that was cut to a two has no shear line there
[40:57.450 --> 40:59.290]  because it leaves an impression mark.
[40:59.290 --> 41:01.470]  And so we'll add that rule to the system,
[41:01.470 --> 41:02.770]  no shear line there.
[41:02.850 --> 41:06.810]  And it tells us the next tryout is one, six, one, three,
[41:06.810 --> 41:09.270]  four, five, because five is the next value
[41:09.270 --> 41:11.230]  that pin six can take on.
[41:11.830 --> 41:12.910]  So we try that.
[41:12.910 --> 41:15.450]  Pin six, we'll cut it down from a two to a five
[41:16.050 --> 41:19.510]  and we'll put it in and impression it.
[41:19.590 --> 41:20.690]  And when we take it out,
[41:20.690 --> 41:23.230]  we'll see this impression mark left on pin six.
[41:23.230 --> 41:26.690]  So we know that pin six is not a five depth either.
[41:27.270 --> 41:30.250]  And so we'll tell it that, no shear line at depth five.
[41:30.290 --> 41:32.710]  And so it tells us to try an eight now.
[41:32.770 --> 41:35.130]  And we can see that this has to be what pin six is.
[41:35.130 --> 41:37.370]  So if this doesn't work, we've done something wrong.
[41:37.370 --> 41:39.690]  So we'll file it down to an eight
[41:40.070 --> 41:42.490]  and we'll put our key in and we'll hit impression.
[41:43.190 --> 41:44.770]  And this time the lock opens
[41:44.770 --> 41:46.850]  because we found the correct code.
[41:46.850 --> 41:50.590]  So as we can see, one, six, one, three, four, eight.
[41:50.790 --> 41:54.890]  This was done in only three impressioning steps,
[41:54.890 --> 41:57.890]  whereas it would have taken 19 to get down
[41:57.890 --> 42:01.430]  to this particular code using impressioning
[42:01.430 --> 42:02.950]  with no other information,
[42:02.950 --> 42:06.230]  just going down one at a time at a time.
[42:06.230 --> 42:11.210]  So very, very powerful tool that will let us decode locks
[42:11.210 --> 42:13.470]  with the impressioning technique.
[42:13.550 --> 42:14.850]  So let's look at another arrangement
[42:14.850 --> 42:17.570]  that can be useful to us, which is key to like systems.
[42:17.570 --> 42:21.130]  So password reuse is generally accepted to be a poor form.
[42:21.170 --> 42:23.410]  Key reuse is common and called key to like
[42:23.410 --> 42:25.090]  and seen in many cases.
[42:25.230 --> 42:27.670]  So there's a whole big old list here.
[42:27.690 --> 42:30.110]  Many of them, if you're interested in this,
[42:30.110 --> 42:31.150]  I encourage you to check out
[42:31.150 --> 42:33.850]  Howard Payne and Devia Toloff's amazing talk,
[42:33.850 --> 42:36.750]  This Key is Your Key, This Key is My Key at Hope 11.
[42:36.850 --> 42:39.770]  And it touches on a whole bunch of these and what they do.
[42:39.910 --> 42:41.230]  Here's a couple that I've discovered
[42:41.230 --> 42:42.990]  that wasn't mentioned in that talk
[42:42.990 --> 42:44.390]  that I think are interesting.
[42:44.410 --> 42:47.170]  So one is construction cores.
[42:47.370 --> 42:49.490]  So if you ever see an interchangeable core
[42:49.490 --> 42:53.490]  that's got a color on it, black, red, or green,
[42:53.970 --> 42:55.970]  that's usually a construction core.
[42:55.970 --> 42:57.750]  It's just used when the building's under construction
[42:57.750 --> 42:59.870]  and it gets swapped out once it's done.
[42:59.870 --> 43:01.470]  These are all key to like.
[43:01.470 --> 43:04.950]  So if you find, say, a green best or a black Schlage,
[43:04.950 --> 43:07.930]  you can look up what the code is and cut a key for that
[43:07.930 --> 43:10.770]  without doing any more decoding.
[43:11.030 --> 43:13.610]  Traffic controller boxes are like that as well.
[43:13.610 --> 43:16.150]  This little upper box is for emergency services
[43:16.150 --> 43:17.910]  to manually control the light.
[43:17.910 --> 43:20.570]  And those keys are universal across North America.
[43:20.570 --> 43:23.730]  And then this lower keyhole is for maintaining the system.
[43:23.730 --> 43:26.010]  And there's only a couple of those different keys
[43:26.010 --> 43:28.890]  that are used across North America.
[43:28.890 --> 43:31.970]  Here's a great example of a bunch of key to like systems.
[43:31.970 --> 43:33.890]  So we have an enter phone box here.
[43:33.890 --> 43:35.310]  This is a Miracom box.
[43:35.310 --> 43:37.390]  So opening it up to service the box,
[43:37.390 --> 43:39.610]  this is a Miracom 549 key,
[43:39.610 --> 43:42.770]  and that's universal for all of these Miracom boxes.
[43:42.770 --> 43:44.790]  It's also got a postal key here
[43:44.790 --> 43:47.130]  so that the post worker can open the box
[43:47.130 --> 43:51.450]  or can open the door and get in and deliver your mail.
[43:51.510 --> 43:54.310]  This box beside it is a little key box
[43:54.310 --> 43:56.730]  that the power company uses to get in
[43:56.730 --> 43:59.070]  because presumably this particular facility
[43:59.070 --> 44:01.430]  will have a customer-owned transformer vault
[44:01.430 --> 44:02.930]  somewhere with inside.
[44:03.190 --> 44:07.150]  We also see these two building-owned keys.
[44:07.150 --> 44:08.150]  We don't know what they're for,
[44:08.150 --> 44:10.370]  but lots of ways to get through this door,
[44:10.370 --> 44:12.730]  three of which are key to like systems.
[44:13.050 --> 44:15.470]  Here's an example of a postal lock box.
[44:15.470 --> 44:18.550]  This one is a Abloy postal lock.
[44:18.550 --> 44:21.610]  So in Canada, our coastal service uses Abloy.
[44:21.610 --> 44:23.190]  Very, very good choice.
[44:23.190 --> 44:27.130]  It's somewhat negated by this door king lock here,
[44:27.130 --> 44:29.990]  which is not only a poor tolerance wafer lock,
[44:29.990 --> 44:31.730]  but it's also key to like.
[44:31.870 --> 44:35.710]  And these door king keys, any of them will open it.
[44:36.190 --> 44:38.430]  If it's not something that we already know
[44:38.430 --> 44:40.510]  what the key is for the key to like system,
[44:40.510 --> 44:43.590]  we can determine what that key is by disassembling the lock.
[44:43.590 --> 44:45.570]  And then once we get the key for one lock,
[44:45.570 --> 44:48.190]  it's gonna work for all of them if they're key to like.
[44:48.470 --> 44:53.170]  So to do that, we need to get the lock out somehow.
[44:53.170 --> 44:55.130]  So once the door is open,
[44:55.130 --> 44:57.130]  you can unscrew the retaining screw
[44:57.130 --> 44:58.450]  and then unscrew the lock,
[44:58.450 --> 45:01.230]  at which point we can take off the tail piece
[45:01.690 --> 45:04.290]  and get these pins to shear line somehow,
[45:04.290 --> 45:06.810]  either shimming through the back or picking.
[45:06.850 --> 45:09.130]  And then we can look at what the pins are
[45:09.130 --> 45:10.630]  on the inside of it.
[45:10.710 --> 45:14.210]  So in this particular case, we have a lock.
[45:14.210 --> 45:16.530]  We can see how long these pins are.
[45:16.690 --> 45:19.030]  And that particular pattern that the pins make,
[45:19.030 --> 45:21.030]  if we invert it, so it's upside down,
[45:21.030 --> 45:23.170]  that's gonna give us what the key looks like.
[45:23.170 --> 45:24.570]  And so we can see we put the key in
[45:24.570 --> 45:26.130]  and it doesn't need work.
[45:26.130 --> 45:27.770]  And we can figure out what exactly
[45:27.770 --> 45:30.650]  that key is going to look like from the lock.
[45:31.210 --> 45:33.370]  If you don't wanna have to shim through the back,
[45:33.370 --> 45:35.210]  you can also take off this brass plate,
[45:35.210 --> 45:38.010]  which is an awful task to do, but it does work.
[45:38.810 --> 45:40.790]  And if you wanna have a bit more time
[45:40.790 --> 45:43.210]  to do this decoding and disassembly,
[45:43.210 --> 45:46.190]  one thing you can do as well is replace it,
[45:46.190 --> 45:49.530]  temporarily at least, with a lock that looks like this.
[45:49.530 --> 45:53.570]  And that's going to work no matter what key enters the lock.
[45:53.630 --> 45:57.470]  So anyone that tries to get in is not going to be blocked
[45:57.470 --> 45:58.790]  and no one's gonna be the wiser
[45:58.790 --> 46:01.970]  while you have the lock out for disassembly.
[46:03.370 --> 46:05.070]  Metakos are very nice to us.
[46:05.070 --> 46:07.590]  They have these nice set screws at the top.
[46:07.590 --> 46:10.310]  And so we can pull that out and dump the pin stack.
[46:10.310 --> 46:11.990]  And so we can see in this pin stack here,
[46:11.990 --> 46:13.230]  we have a key pin.
[46:13.230 --> 46:18.030]  We can read both the angle and the depth of it from that.
[46:18.030 --> 46:19.890]  This one happens to have some master wafers,
[46:19.890 --> 46:20.950]  so it's not key to like,
[46:20.950 --> 46:22.550]  and we'll talk about how to handle that later,
[46:22.550 --> 46:26.930]  but we can see a 25 thousandths of an inch one wafer
[46:26.930 --> 46:28.670]  and a 50 thousand two wafer.
[46:28.670 --> 46:30.950]  In this case, we only needed to remove
[46:31.530 --> 46:32.790]  these first two pin stacks
[46:34.230 --> 46:37.070]  because we got some information about the lock already
[46:37.070 --> 46:39.670]  and the first two pin stacks were the only things
[46:39.670 --> 46:42.030]  that we needed more information about.
[46:42.550 --> 46:44.790]  And of course, because of these set screws,
[46:44.790 --> 46:46.950]  we don't have to worry about this awful brass piece
[46:46.950 --> 46:48.870]  or shimming it, et cetera.
[46:49.010 --> 46:50.790]  If you're interested in this sort of thing,
[46:50.790 --> 46:53.650]  I strongly recommend you check out Molok's amazing talk,
[46:53.650 --> 46:55.830]  Please Do Not Duplicate Attacking the Knox Blocks
[46:55.830 --> 46:57.190]  from DEF CON 26.
[46:57.430 --> 46:59.910]  It's all about doing attacks like this,
[46:59.910 --> 47:03.110]  taking locks apart and looking at the Knox block systems,
[47:03.110 --> 47:06.190]  which is key to like across many jurisdictions
[47:06.190 --> 47:07.990]  in North America.
[47:08.610 --> 47:10.350]  So that's key to like systems.
[47:10.350 --> 47:14.370]  What we can do with that is start to analyze everything
[47:14.370 --> 47:16.030]  that we've looked at so far
[47:16.030 --> 47:19.110]  and figure out how to formalize it
[47:19.110 --> 47:22.110]  and how to determine what the best next step is.
[47:22.110 --> 47:25.170]  And we can do that by looking at information theory.
[47:26.390 --> 47:28.570]  So you've likely heard of the concept
[47:28.570 --> 47:31.090]  of the entropy of a password before.
[47:31.090 --> 47:33.410]  We'll talk a bit about what exactly that means.
[47:33.410 --> 47:35.570]  So information is stuff we know
[47:35.570 --> 47:38.350]  and entropy is stuff we don't know.
[47:38.530 --> 47:40.670]  So in the case of a stoplight, it's either red or green
[47:40.670 --> 47:42.370]  and that is information.
[47:42.370 --> 47:45.790]  That's in the case of red or green, one bit of information
[47:45.790 --> 47:48.770]  because it's a zero or a one, that's ignoring yellow.
[47:49.430 --> 47:51.470]  When it's a random variable,
[47:51.470 --> 47:53.830]  that's something we don't know and so that's entropy.
[47:54.130 --> 47:56.030]  And so a key or a password has entropy
[47:56.030 --> 47:57.730]  because we do not know it
[47:57.730 --> 47:58.890]  and we're trying to determine it
[47:58.890 --> 48:01.410]  to get into that particular lock.
[48:02.250 --> 48:04.210]  So how do we measure the entropy?
[48:04.350 --> 48:05.330]  So it's in bits.
[48:05.330 --> 48:07.030]  So a coin flip is a zero or a one,
[48:07.030 --> 48:08.550]  so it has one bit of entropy.
[48:08.570 --> 48:11.810]  A random number from zero to 255 is eight bits,
[48:11.810 --> 48:16.010]  since eight bits can encode number zero to 255.
[48:16.050 --> 48:20.250]  A random number one to 10 has 3.32 bits.
[48:20.250 --> 48:23.730]  Well, how do we have a fractional number of bits?
[48:23.730 --> 48:26.130]  Well, we can think of it like the following.
[48:26.170 --> 48:28.150]  We have three random numbers, one to 10,
[48:28.150 --> 48:30.510]  that is a three digit number.
[48:30.510 --> 48:32.770]  And so that can be encoded with one to a thousand
[48:32.770 --> 48:34.650]  or zero to 999.
[48:34.690 --> 48:37.130]  And that fits very well into 10 bits,
[48:37.130 --> 48:39.430]  which can encode zero to 1023.
[48:39.430 --> 48:41.750]  So two to the 10 minus one.
[48:42.370 --> 48:45.750]  So 10 bits will easily encode zero to 999
[48:45.750 --> 48:48.050]  with not a whole lot left over.
[48:48.050 --> 48:50.110]  And so 10 bits divided by three,
[48:50.110 --> 48:52.550]  because we're storing three random numbers inside of it,
[48:52.550 --> 48:56.710]  is 3.33, which is very close to that 3.32 figure.
[48:56.710 --> 48:59.430]  If we extend the number that we're storing,
[48:59.430 --> 49:00.730]  so instead of three random numbers,
[49:00.730 --> 49:02.630]  we try to store six or nine or a thousand
[49:02.630 --> 49:04.570]  as that tends to infinity,
[49:04.570 --> 49:07.670]  this number tends to 3.32.
[49:09.450 --> 49:13.170]  This is mathematically represented with a log.
[49:13.170 --> 49:16.610]  So the entropy of a piece of information
[49:16.610 --> 49:18.310]  can be thought of as the number of bits
[49:18.310 --> 49:20.350]  it takes to write it down,
[49:20.350 --> 49:25.470]  or write down a number from zero to the total value
[49:25.470 --> 49:28.510]  that that information can possibly be.
[49:28.510 --> 49:32.230]  And so that would be the log base two of that number.
[49:32.790 --> 49:34.550]  So the number of bits of entropy,
[49:34.550 --> 49:36.450]  which is represented by the Greek letter eta,
[49:36.450 --> 49:38.490]  or eta in modern Greek,
[49:38.490 --> 49:40.490]  for a random variable with n outcomes
[49:40.490 --> 49:43.610]  is just log base two of n.
[49:43.610 --> 49:46.550]  So a fair coin flip has two possible outcomes.
[49:46.550 --> 49:48.770]  Log base two of two is,
[49:48.770 --> 49:52.090]  that should not say two bits, that is a typo, one bit.
[49:52.230 --> 49:54.930]  A random number from zero to 255
[49:55.430 --> 49:57.390]  is log base two of 256,
[49:57.390 --> 49:59.550]  because zero is not counted here,
[49:59.550 --> 50:01.470]  so, or is counted here.
[50:01.470 --> 50:05.470]  So that's 256 possible options, which is eight bits.
[50:05.530 --> 50:06.770]  And a random number of one to 10
[50:06.770 --> 50:10.890]  is log base two of 10, which is 3.322,
[50:10.890 --> 50:12.310]  what we looked at before.
[50:12.710 --> 50:15.550]  So a couple of examples of entropy within keys.
[50:16.790 --> 50:19.670]  That is the number of bits in the piece of information,
[50:19.670 --> 50:20.510]  so the key to the password,
[50:20.510 --> 50:22.130]  once we do have that information.
[50:22.370 --> 50:24.310]  So an eight character ASCII password,
[50:24.310 --> 50:27.770]  so that's eight bytes times eight bits per byte
[50:27.770 --> 50:30.030]  is 256 bits of entropy.
[50:30.510 --> 50:33.310]  This, many of you will be screaming at your monitor,
[50:33.310 --> 50:36.770]  is wrong, because some characters
[50:36.770 --> 50:38.290]  are more likely than others.
[50:38.290 --> 50:42.050]  Some characters are not used at all in most passwords.
[50:42.050 --> 50:45.070]  And of course, dictionary attacks exist,
[50:45.070 --> 50:47.990]  so certain passwords are more common than others.
[50:48.030 --> 50:49.750]  And so that does reduce the entropy.
[50:49.750 --> 50:52.290]  We'll look at why in a little bit.
[50:52.350 --> 50:54.810]  For a 10 digit passcode, three characters long,
[50:54.810 --> 50:56.930]  assuming all combinations are equally likely,
[50:56.930 --> 50:59.990]  we have 9.97 bits, which makes sense.
[50:59.990 --> 51:02.910]  A thousand combinations is a little bit shy of 1024,
[51:02.910 --> 51:04.930]  which would be exactly 10 bits.
[51:05.210 --> 51:09.310]  An EVA MCS, so that's the magnetic coding system key.
[51:09.310 --> 51:13.230]  It has four rotors and eight positions each for each rotor.
[51:13.230 --> 51:15.050]  So that's eight to the power of four,
[51:15.050 --> 51:18.450]  4,096, or 12 bits exactly of entropy.
[51:18.450 --> 51:20.970]  And a Schlage five pin system has five to the power
[51:20.970 --> 51:23.050]  of 10 or 100,000 combinations,
[51:23.050 --> 51:26.770]  log two of 100,000 is 16.6 bits.
[51:26.770 --> 51:29.490]  So that's a couple of examples
[51:30.070 --> 51:32.550]  of how much entropy is in a system.
[51:32.910 --> 51:34.930]  In the software that we have here,
[51:34.930 --> 51:37.650]  it gives you that at the start
[51:37.650 --> 51:39.850]  and at the end of the rules that you've applied.
[51:39.910 --> 51:43.570]  So in this particular case, if we look at a Schlage system,
[51:43.570 --> 51:47.910]  whoopsies, five pins with 10 possible depths,
[51:47.910 --> 51:52.330]  so 100,000, and then we have 16.6 right there.
[51:52.330 --> 51:54.390]  And you can play around with that to see what happens
[51:54.390 --> 51:58.350]  as you change the number of depths and pins.
[51:59.750 --> 52:01.410]  So if there are N possibilities
[52:01.410 --> 52:04.550]  and all possibilities are equally likely,
[52:04.550 --> 52:07.490]  then the entropy is given by log two of N.
[52:07.690 --> 52:10.870]  But if some possibilities are more likely than others,
[52:10.870 --> 52:12.050]  entropy goes down.
[52:12.050 --> 52:15.330]  So in a dictionary based attack on passwords,
[52:15.330 --> 52:17.590]  because they follow these dictionaries,
[52:17.590 --> 52:19.790]  it is easier to guess that there's less entropy
[52:19.790 --> 52:21.610]  in those passwords.
[52:22.090 --> 52:24.630]  And so in the example of keys,
[52:25.430 --> 52:28.170]  we see many key systems avoiding very deep cuts
[52:28.170 --> 52:31.270]  because that makes the key more prone to breaking.
[52:32.350 --> 52:35.350]  And there's other ways that you can do keys
[52:35.350 --> 52:36.690]  to make it harder to pick.
[52:36.690 --> 52:38.170]  And so that does slightly reduce
[52:38.170 --> 52:40.550]  the amount of entropy present in your key.
[52:40.550 --> 52:43.930]  The fact that certain differs are less probable than others.
[52:44.130 --> 52:46.970]  So to look at a very simple example here,
[52:46.970 --> 52:50.710]  we have a master key that we've decoded
[52:50.710 --> 52:55.450]  as either a 14767 or a 94767.
[52:55.450 --> 52:57.550]  So looking at these two options naively,
[52:57.550 --> 53:00.910]  we have, or we could say there might be a 50-50 chance
[53:00.910 --> 53:03.510]  of each of these two options.
[53:03.510 --> 53:06.030]  And so since there's two, it's a zero or a one,
[53:06.030 --> 53:08.010]  this is one bit of entropy.
[53:08.130 --> 53:10.550]  We can expand this calculation a little bit
[53:11.450 --> 53:14.570]  by looking at the individual probabilities.
[53:14.570 --> 53:19.090]  So there's a probability of 0.5 of it being 14767
[53:19.090 --> 53:21.570]  and 0.5 of nine.
[53:21.590 --> 53:25.710]  So we have minus 0.5 log two of 0.5.
[53:25.710 --> 53:27.750]  So that's the probability of the first one.
[53:27.750 --> 53:29.110]  Then the exact same thing,
[53:29.110 --> 53:31.650]  because the probability of the second is the same.
[53:31.650 --> 53:35.430]  And we do a little bit of arithmetic using our log rules.
[53:35.430 --> 53:36.770]  And we find that that simplifies
[53:36.770 --> 53:40.270]  to log base two of two or one bit.
[53:40.650 --> 53:43.810]  The question is though, are these equiprobable?
[53:43.810 --> 53:49.070]  And so if this were a non-master key, then it might be,
[53:49.070 --> 53:50.730]  but knowing that this is a master key,
[53:50.730 --> 53:52.650]  there's a couple of cues we can take.
[53:52.750 --> 53:54.930]  So here's our 14767.
[53:55.010 --> 53:57.470]  This is very typical of what master keys
[53:57.470 --> 53:59.370]  very frequently look like.
[53:59.730 --> 54:01.350]  When we take this down to a nine,
[54:01.350 --> 54:02.970]  there's a number of problems with it.
[54:02.970 --> 54:05.790]  One is it has a very deep cut in pin one.
[54:05.790 --> 54:08.150]  This is prone to breaking off in the lock.
[54:08.210 --> 54:11.090]  And I generally want to avoid keys breaking off in locks,
[54:11.090 --> 54:13.090]  but especially master keys,
[54:13.090 --> 54:14.910]  because if that gets stuck in there
[54:14.910 --> 54:17.090]  and a bad actor is able to get it out,
[54:17.090 --> 54:18.770]  that's a problem for you.
[54:18.770 --> 54:20.030]  The other thing that happens here
[54:20.030 --> 54:22.650]  is this is now a very low cut key.
[54:22.690 --> 54:24.670]  And for reasons we'll talk about shortly,
[54:24.670 --> 54:28.090]  having a low cut master key is something you want to avoid.
[54:28.470 --> 54:32.390]  So it's highly unlikely that this 94767
[54:32.950 --> 54:35.190]  would be the code that the locksmith chose
[54:35.190 --> 54:37.390]  to be the master key.
[54:37.630 --> 54:41.370]  So we can assess perhaps a 95% chance
[54:41.370 --> 54:44.510]  that it's this one cut and a 5% chance
[54:44.510 --> 54:46.690]  that it's this nine cut.
[54:46.690 --> 54:49.790]  And crunching those numbers, we have 0.95.
[54:49.790 --> 54:51.890]  So our probability times log two of 0.95
[54:52.970 --> 54:56.270]  plus 0.05 times log two of 0.05.
[54:56.270 --> 55:02.070]  And we find our entropy is now 0.2 bits, 0.3 rounding.
[55:02.070 --> 55:04.230]  So that is significantly lower
[55:04.230 --> 55:08.210]  owing to this high difference in probabilities
[55:08.210 --> 55:10.310]  between these two options.
[55:10.310 --> 55:11.730]  In the extreme case,
[55:11.730 --> 55:14.010]  so we can sort of intuitively understand this,
[55:14.010 --> 55:15.250]  if one option is certain
[55:15.250 --> 55:17.350]  and the other option is impossible,
[55:17.350 --> 55:18.730]  well, that's zero bits of entropy
[55:18.730 --> 55:22.570]  because there's nothing unknown in this case.
[55:22.930 --> 55:27.350]  So in general, the entropy where the probabilities
[55:27.350 --> 55:32.350]  are not equal is going to be the sum of each probability
[55:32.870 --> 55:35.490]  times the log two of each probability,
[55:35.490 --> 55:37.030]  and then minus that,
[55:37.030 --> 55:39.250]  because log of a number less than one
[55:39.250 --> 55:40.990]  is going to be a negative.
[55:40.990 --> 55:46.010]  And so this definition is a fairly beautiful derivation
[55:46.010 --> 55:49.430]  of it that I won't go into now for obvious reasons,
[55:49.430 --> 55:51.450]  but I encourage you to look it up.
[55:51.450 --> 55:53.210]  So we can now extend this concept
[55:53.790 --> 55:56.130]  and do a little bit more useful with it
[55:56.130 --> 55:58.610]  by looking at joint and conditional entropy
[55:58.610 --> 56:01.510]  and mutual information for different rules
[56:01.510 --> 56:03.590]  in terms of which ones are giving us
[56:03.590 --> 56:05.830]  more and less information.
[56:05.890 --> 56:08.630]  So let's just get rid of this block to start.
[56:08.630 --> 56:11.750]  So what we'll do here is consider a very simple system
[56:11.750 --> 56:16.770]  with only three pins and only two possible depths for each.
[56:16.770 --> 56:19.850]  And so we can see that this has three bits of entropy in it,
[56:19.850 --> 56:21.030]  and that makes sense.
[56:21.030 --> 56:24.210]  We have a zero or a one, zero, one, zero, one,
[56:24.210 --> 56:26.250]  three times over, so that's three bits.
[56:26.250 --> 56:29.310]  And we've enumerated all of the eight possible options here.
[56:29.390 --> 56:32.110]  And of course, log base two of eight is three,
[56:32.110 --> 56:34.370]  so that also makes a lot of sense.
[56:35.050 --> 56:36.750]  So let's say that we have,
[56:36.750 --> 56:39.090]  let's say a photograph of the key or something,
[56:39.090 --> 56:41.770]  but that photograph only shows us pin one.
[56:41.770 --> 56:44.890]  And that tells us that pin one is a zero.
[56:46.090 --> 56:48.670]  So that now tells us, well, pin one is a zero.
[56:48.670 --> 56:50.790]  We don't know anything about pin two or pin three.
[56:50.790 --> 56:52.710]  That gives us one bit of information.
[56:52.710 --> 56:53.670]  It makes sense.
[56:53.670 --> 56:56.130]  And we're now down to two bits of conditional entropy.
[56:56.130 --> 56:59.750]  That's conditional on this rule being the case here.
[57:00.030 --> 57:02.510]  And then we get another photo and it's a bit better.
[57:02.510 --> 57:06.070]  It shows us that pin one is a zero and pin two is a zero.
[57:06.430 --> 57:09.690]  And so now we've limited pin one and pin two to zero, zero.
[57:09.690 --> 57:12.310]  And so we have one bit of entropy left
[57:12.310 --> 57:14.610]  because this rule has given us two.
[57:16.170 --> 57:19.630]  And if we have a third photograph,
[57:19.630 --> 57:21.810]  say that shows that pin three is limited to zero,
[57:21.810 --> 57:23.770]  but we can't see pin one or pin two.
[57:23.990 --> 57:25.470]  Now we have the final key
[57:25.470 --> 57:28.450]  because we know that they're all zero, zero, zero.
[57:28.930 --> 57:32.050]  So this is fairly simplistic and fairly obvious, I assume,
[57:32.050 --> 57:34.910]  but we can analyze it in terms of the information content
[57:34.910 --> 57:37.490]  provided in each of these three rules.
[57:37.890 --> 57:39.750]  So looking at it intuitively,
[57:39.750 --> 57:42.470]  rule one gave us one bit of information,
[57:42.470 --> 57:45.370]  rule two gives us two, and rule three gives us one,
[57:45.370 --> 57:51.410]  as well as rule two shares one bit with rule one.
[57:51.410 --> 57:55.170]  In terms of the conditional entropy given by rule one
[57:55.170 --> 57:57.070]  relative to rule two.
[57:57.170 --> 57:59.190]  So given everything that rule two gives us,
[57:59.190 --> 58:01.290]  rule one gives us nothing extra.
[58:01.330 --> 58:03.310]  Given everything that rule one gives us,
[58:03.310 --> 58:05.790]  rule two gives us one bit extra,
[58:05.790 --> 58:09.630]  and they share one bit, common to both of them,
[58:09.630 --> 58:12.590]  and rule three, of course, shares nothing with the other two.
[58:12.590 --> 58:16.690]  So we can analyze this automatically with the software here
[58:16.690 --> 58:20.310]  by clicking calculate conditional entropies down below.
[58:20.390 --> 58:24.630]  And let's compare rules one and two, just to start.
[58:24.630 --> 58:27.210]  And we see exactly what I mentioned there.
[58:27.210 --> 58:31.430]  So rule one, within this circle, we see it gives us one bit,
[58:31.430 --> 58:36.070]  and rule two, within its circle, gives us two bits.
[58:36.270 --> 58:39.690]  One bit is shared with rule one, and one bit is on its own.
[58:39.690 --> 58:42.690]  And so that one on its own is, of course, position two,
[58:42.690 --> 58:43.750]  where this is the only one
[58:43.750 --> 58:46.130]  that tells us anything about pin two.
[58:47.230 --> 58:49.930]  And then the total information given by both
[58:49.930 --> 58:51.330]  is the sum of what's in here.
[58:51.330 --> 58:55.110]  So that's the joint entropy reduction, which is two bits.
[58:55.890 --> 58:58.250]  Comparing rule one and rule three,
[58:58.250 --> 59:00.210]  we see that they both give us one bit,
[59:00.210 --> 59:02.790]  and there's nothing shared between them, which makes sense.
[59:02.790 --> 59:05.150]  We have pin one, pin three, nothing shared.
[59:05.430 --> 59:07.450]  And we can compare all of them.
[59:07.670 --> 59:09.390]  And so we see now that within these,
[59:09.390 --> 59:12.410]  we have a total of three bits given.
[59:12.410 --> 59:14.590]  And for the system that started out as three bits,
[59:14.590 --> 59:16.990]  that will reduce us to a final key.
[59:17.410 --> 59:19.270]  And those three bits,
[59:19.270 --> 59:22.370]  one of which is shared between rules one and two,
[59:23.430 --> 59:26.690]  one of which is just given by rule two,
[59:26.690 --> 59:29.070]  one of which is just given by rule three.
[59:29.070 --> 59:30.510]  And then there's nothing, say, that's shared
[59:30.510 --> 59:31.610]  by all three of them,
[59:31.610 --> 59:35.090]  or that's just given by rule one, et cetera.
[59:35.970 --> 59:38.930]  So this is a fairly useful way of analyzing
[59:38.930 --> 59:41.550]  the rules that we've determined that limit the system
[59:41.550 --> 59:44.970]  and determining which one is most useful to us.
[59:44.970 --> 59:47.150]  And are we sharing a lot of information?
[59:47.150 --> 59:48.330]  If we are, that indicates
[59:48.330 --> 59:50.070]  that we're not being particularly efficient
[59:50.070 --> 59:51.870]  with what work we're doing
[59:51.870 --> 59:54.510]  to find out this information put into this system.
[59:54.510 --> 59:57.290]  Ideally, the less shared information,
[59:57.290 --> 59:59.990]  the more total information we're actually going to get
[01:00:00.380 --> 01:00:04.410]  out of all of the rules in this particular system.
[01:00:05.780 --> 01:00:09.290]  So that is conditional entropy.
[01:00:09.290 --> 01:00:10.730]  Mutual information, by the way,
[01:00:10.730 --> 01:00:15.390]  is the term that we use to talk about the information
[01:00:15.390 --> 01:00:17.470]  that is, well, mutual between
[01:00:18.160 --> 01:00:19.790]  two different random variables,
[01:00:19.790 --> 01:00:21.630]  or in this case, two different rules
[01:00:21.630 --> 01:00:24.390]  that impose a constraint on the system.
[01:00:27.730 --> 01:00:29.670]  So in the case that we looked at before
[01:00:29.670 --> 01:00:32.750]  with this 0151X key,
[01:00:32.750 --> 01:00:37.490]  we have the conditional entropy given by the code book
[01:00:37.490 --> 01:00:39.790]  is a lot, almost nine bits,
[01:00:39.790 --> 01:00:40.590]  which makes sense.
[01:00:40.590 --> 01:00:44.830]  We're going from 390,000 to 1,700 possibilities.
[01:00:44.910 --> 01:00:47.390]  And given by the photo is a fair bit as well,
[01:00:47.390 --> 01:00:50.810]  because we were able to determine some severe limitations
[01:00:50.810 --> 01:00:52.870]  on many of the pins that exist.
[01:00:52.870 --> 01:00:55.150]  And there's not a lot of shared information.
[01:00:55.150 --> 01:00:57.890]  The result of that is between these two rules,
[01:00:57.890 --> 01:01:01.990]  they give us all of the entropy that existed
[01:01:01.990 --> 01:01:03.790]  in that particular key.
[01:01:04.790 --> 01:01:05.770]  There's a good reason
[01:01:05.770 --> 01:01:07.430]  that they don't share a lot of information.
[01:01:07.430 --> 01:01:08.930]  And that's because, well,
[01:01:08.930 --> 01:01:12.090]  what is the uncertainty that exists in a photo?
[01:01:12.090 --> 01:01:13.510]  Well, the uncertainty is, you know,
[01:01:13.510 --> 01:01:15.470]  is this a two or a three?
[01:01:15.470 --> 01:01:17.810]  You know, is one position off?
[01:01:17.990 --> 01:01:19.670]  In the case of a code book,
[01:01:19.670 --> 01:01:21.850]  what they do with code books is very different.
[01:01:21.850 --> 01:01:23.470]  They're not going to make a code
[01:01:23.470 --> 01:01:27.570]  that's off by just one cut and one pin
[01:01:27.570 --> 01:01:29.570]  from another item in the code book.
[01:01:29.570 --> 01:01:31.270]  They're all going to be wildly different
[01:01:31.270 --> 01:01:34.590]  if you're reducing 390,000 possible differs
[01:01:34.590 --> 01:01:37.430]  into 1,700 in the code book.
[01:01:37.430 --> 01:01:39.430]  So because they're wildly different,
[01:01:39.430 --> 01:01:41.410]  the information given to us by the code book
[01:01:41.410 --> 01:01:44.490]  is very, very different than the information
[01:01:44.490 --> 01:01:45.690]  given by the photo.
[01:01:45.690 --> 01:01:47.430]  There's not a lot of overlap.
[01:01:47.430 --> 01:01:48.870]  And as a result there,
[01:01:49.670 --> 01:01:51.490]  these two rules put together
[01:01:51.490 --> 01:01:54.770]  are very useful to give us a lot of information
[01:01:54.770 --> 01:01:56.710]  about this system.
[01:01:56.710 --> 01:01:58.690]  So we've talked about loads of techniques
[01:01:58.690 --> 01:02:00.170]  to determine the key for a lock
[01:02:00.170 --> 01:02:01.750]  when we don't have a key at all.
[01:02:01.750 --> 01:02:03.530]  How about if we have a key for some lock
[01:02:03.530 --> 01:02:05.290]  on some master system,
[01:02:05.290 --> 01:02:08.130]  and we want to turn it into a grand master key
[01:02:08.130 --> 01:02:10.170]  that's going to work for all of those locks?
[01:02:10.170 --> 01:02:11.870]  To understand how to do that,
[01:02:11.870 --> 01:02:15.090]  let's look a little bit at how mastering works in general.
[01:02:15.090 --> 01:02:16.910]  Any lock on a master system
[01:02:16.910 --> 01:02:19.330]  is going to accept multiple keys.
[01:02:19.330 --> 01:02:21.670]  And it does that by having more than one shear lines
[01:02:21.670 --> 01:02:23.490]  in at least some of the pins.
[01:02:23.590 --> 01:02:26.750]  So in this case, we have two shear lines in every pin stack.
[01:02:26.750 --> 01:02:28.630]  One of these shear lines in each pin stack
[01:02:28.630 --> 01:02:30.830]  is for the change key,
[01:02:30.830 --> 01:02:33.670]  and one is going to be for the master key.
[01:02:33.670 --> 01:02:35.530]  So there's two different shear lines,
[01:02:35.530 --> 01:02:38.290]  and a different one is always gonna be used,
[01:02:38.290 --> 01:02:40.850]  one for change and one for master.
[01:02:41.310 --> 01:02:43.790]  Master key actually is necessary
[01:02:43.790 --> 01:02:46.610]  in the context of multiple locks.
[01:02:46.690 --> 01:02:48.590]  So in here we have Alice's lock
[01:02:48.590 --> 01:02:50.250]  and her key A1,
[01:02:50.250 --> 01:02:53.350]  and it's going to work in her lock.
[01:02:54.210 --> 01:02:59.050]  And we're also going to have a sub master, MKA,
[01:02:59.050 --> 01:03:01.830]  that will work in her lock and a grand master.
[01:03:01.850 --> 01:03:04.330]  But Bob can't put his key in her lock.
[01:03:04.330 --> 01:03:05.710]  It's not going to work.
[01:03:05.710 --> 01:03:07.410]  It binds in pin three,
[01:03:07.410 --> 01:03:09.450]  and Charlie's is completely off.
[01:03:09.450 --> 01:03:11.290]  It's also not going to work.
[01:03:11.290 --> 01:03:13.330]  So that's what works in Alice's lock.
[01:03:13.330 --> 01:03:17.730]  In Bob's lock, Alice's key is not going to work
[01:03:17.730 --> 01:03:21.010]  because it's not the right key.
[01:03:21.010 --> 01:03:22.270]  It's just a change key.
[01:03:22.350 --> 01:03:24.730]  But Bob's key, of course, will.
[01:03:25.530 --> 01:03:27.170]  Charlie's key won't.
[01:03:27.390 --> 01:03:29.470]  And the master MKA will,
[01:03:29.470 --> 01:03:31.150]  because Bob is on the A system.
[01:03:31.150 --> 01:03:32.390]  He's A2.
[01:03:32.650 --> 01:03:36.530]  And the grand master is going to work as well.
[01:03:37.070 --> 01:03:39.770]  In Charlie's lock, he's on the B system.
[01:03:39.770 --> 01:03:43.150]  So MKA is not going to work.
[01:03:45.010 --> 01:03:46.410]  Alice's key, of course,
[01:03:46.410 --> 01:03:50.210]  and Bob's key are both also not going to work.
[01:03:50.410 --> 01:03:52.210]  Charlie's key will, of course.
[01:03:52.510 --> 01:03:55.610]  And the grand master will as well.
[01:03:55.810 --> 01:03:59.610]  So what we have is a two-level hierarchy system
[01:03:59.610 --> 01:04:01.670]  where we have a master key MKA
[01:04:02.250 --> 01:04:04.470]  that works for Alice's and Bob's lock,
[01:04:04.470 --> 01:04:05.770]  which are on the A system,
[01:04:05.770 --> 01:04:08.250]  but not for Charlie's, which is on the B system,
[01:04:08.250 --> 01:04:11.530]  and a grand master key that works for all of them.
[01:04:11.550 --> 01:04:14.010]  The way that this happens is the grand master key
[01:04:14.010 --> 01:04:15.770]  uses the grand master shear lines
[01:04:15.770 --> 01:04:18.090]  in all positions on all locks.
[01:04:18.310 --> 01:04:21.470]  The MKA uses the grand master shear lines
[01:04:21.470 --> 01:04:23.450]  in just these last three positions,
[01:04:23.450 --> 01:04:24.930]  but not the first two.
[01:04:24.930 --> 01:04:26.230]  So that way you can tell,
[01:04:26.230 --> 01:04:28.150]  is this on the A system?
[01:04:28.350 --> 01:04:31.270]  And all A system locks start with 3-1.
[01:04:31.270 --> 01:04:35.110]  So Alice's key does as does Bob's key.
[01:04:35.110 --> 01:04:36.670]  It starts with 3-1,
[01:04:36.670 --> 01:04:40.530]  and therefore MKA, which also starts with 3-1,
[01:04:40.530 --> 01:04:42.770]  is going to work on Bob's lock.
[01:04:42.770 --> 01:04:46.270]  If we try MKA in Charlie's lock,
[01:04:46.270 --> 01:04:48.150]  it's going to work on the last three pins
[01:04:48.150 --> 01:04:52.710]  because MKA is at the master level on these three pins.
[01:04:52.710 --> 01:04:54.970]  Notice that it shares the last three pins
[01:04:54.970 --> 01:04:56.730]  with the grand master key,
[01:04:56.730 --> 01:04:59.330]  but it is not going to work in Charlie's lock
[01:04:59.330 --> 01:05:02.210]  because MKA is not the master depth
[01:05:02.210 --> 01:05:03.850]  in these first two pins.
[01:05:03.850 --> 01:05:06.710]  We need the grand master key for that.
[01:05:06.710 --> 01:05:10.510]  So we have a multi-level mastering system
[01:05:10.510 --> 01:05:15.970]  that allows certain master keys to open only some locks,
[01:05:15.970 --> 01:05:18.010]  the individual keys only open their own,
[01:05:18.010 --> 01:05:21.990]  and a top-level master key that opens everything.
[01:05:22.070 --> 01:05:25.650]  So that is an example of a three-level system.
[01:05:25.650 --> 01:05:27.530]  This is two-level with just a master
[01:05:27.530 --> 01:05:29.370]  and change keys below it.
[01:05:29.370 --> 01:05:30.910]  This is what we just looked at.
[01:05:30.910 --> 01:05:34.150]  So a grand master key under which we have MKA,
[01:05:34.150 --> 01:05:36.690]  and there would be hypothetically an MKB as well,
[01:05:36.690 --> 01:05:38.610]  and then change keys under that.
[01:05:38.610 --> 01:05:42.630]  So here's Alice and Bob, and Charlie is somewhere over here.
[01:05:42.830 --> 01:05:45.030]  We can have higher levels,
[01:05:45.030 --> 01:05:47.430]  and this requires splitting up the pins more
[01:05:47.430 --> 01:05:49.210]  in the way that we showed you,
[01:05:49.210 --> 01:05:51.930]  or using secondary locking elements.
[01:05:53.230 --> 01:05:56.590]  So looking at our sergeant lock again,
[01:05:56.590 --> 01:05:59.950]  it had this visible shear line here,
[01:05:59.950 --> 01:06:02.190]  and above it is this red pin.
[01:06:02.290 --> 01:06:06.970]  A red driver pin is only used for key pin 456.
[01:06:06.970 --> 01:06:08.130]  We see that this is a zero,
[01:06:08.130 --> 01:06:10.990]  so we know that it's actually a master pin.
[01:06:10.990 --> 01:06:13.890]  So we can start to determine what the other shear line is
[01:06:13.890 --> 01:06:16.710]  in this particular sergeant lock.
[01:06:16.710 --> 01:06:19.110]  And once we know what both shear lines are,
[01:06:19.110 --> 01:06:20.530]  we can then start to determine
[01:06:20.530 --> 01:06:22.230]  which one is going to be the master
[01:06:22.230 --> 01:06:24.730]  and deducing the master key from that.
[01:06:24.810 --> 01:06:26.550]  When we lift up the first two pins
[01:06:26.550 --> 01:06:32.630]  and see that the master wafer on pin three is gold,
[01:06:32.630 --> 01:06:33.890]  we can do the same thing
[01:06:34.350 --> 01:06:37.410]  and determine that the second shear line
[01:06:37.410 --> 01:06:41.510]  is going to match one of three, four, or eight,
[01:06:41.510 --> 01:06:44.490]  plus the one that we know is in there already.
[01:06:45.790 --> 01:06:49.210]  If we have a lock on a master system
[01:06:49.210 --> 01:06:50.710]  and a key for that lock,
[01:06:50.710 --> 01:06:54.350]  we can use that key to actually disassemble the lock.
[01:06:54.350 --> 01:06:55.430]  And it's a whole lot easier
[01:06:55.430 --> 01:06:57.130]  because we can use the key to open the door
[01:06:57.630 --> 01:07:00.410]  and to then unscrew the lock from an open door.
[01:07:00.410 --> 01:07:01.630]  We can also put the key in
[01:07:01.630 --> 01:07:04.790]  and use it to remove the core from the lock.
[01:07:04.790 --> 01:07:05.970]  And then we can look at the pins
[01:07:05.970 --> 01:07:08.250]  and see what they actually say.
[01:07:09.030 --> 01:07:11.010]  So to look at a demo,
[01:07:11.010 --> 01:07:12.850]  in this case, we have our mastered system
[01:07:12.850 --> 01:07:14.450]  and our change key here.
[01:07:14.710 --> 01:07:18.690]  And the mastered pin depths that we find
[01:07:18.690 --> 01:07:20.790]  are two, eight, two, four, et cetera.
[01:07:20.790 --> 01:07:23.390]  And we get this for reading these pins here.
[01:07:23.630 --> 01:07:26.950]  If we put that into our analysis software,
[01:07:26.950 --> 01:07:29.490]  two, eight, two, four, three, five, et cetera,
[01:07:29.490 --> 01:07:31.150]  we find that now the master key
[01:07:31.150 --> 01:07:36.390]  can take on one of each of these two positions in the lock.
[01:07:36.390 --> 01:07:38.990]  And so there's five bits of entropy, which makes sense.
[01:07:38.990 --> 01:07:41.910]  There's two positions in five pins.
[01:07:41.910 --> 01:07:44.950]  And that gives us 32 possible keys
[01:07:44.950 --> 01:07:49.210]  that could work as the master key for this locking system.
[01:07:49.450 --> 01:07:53.350]  We can, of course, create all 32 and try them.
[01:07:53.350 --> 01:07:56.330]  We can create only some, 10,
[01:07:56.330 --> 01:08:00.150]  and then file them down until we've tried all 32 of these.
[01:08:00.150 --> 01:08:01.610]  But we can do better than that
[01:08:01.610 --> 01:08:05.230]  because we have the change key code
[01:08:05.230 --> 01:08:09.690]  and we know that it's a change key, two, four, five, three, one.
[01:08:09.690 --> 01:08:12.030]  And so we know that whichever shear lines
[01:08:12.590 --> 01:08:15.570]  that change key interacts with when it's using the lock
[01:08:15.570 --> 01:08:17.890]  is not going to be the master shear lines.
[01:08:17.890 --> 01:08:21.330]  Therefore, the other shear lines will be the master.
[01:08:21.730 --> 01:08:23.770]  So if we take eight, two, three,
[01:08:23.770 --> 01:08:28.210]  sorry, if we take a change key, two, four, five, three, one,
[01:08:28.210 --> 01:08:32.090]  and we put that into our analysis software,
[01:08:32.090 --> 01:08:36.670]  so known change key, two, four, five, three, one,
[01:08:36.670 --> 01:08:40.270]  it's going to remove two, four, five, three, and one
[01:08:40.270 --> 01:08:48.250]  from the possible depths that this master key could be.
[01:08:48.250 --> 01:08:49.250]  And it's going to leave us
[01:08:49.250 --> 01:08:51.410]  with the other remaining one in each pin stack,
[01:08:51.410 --> 01:08:54.950]  which will be a single master key left, eight, two, three,
[01:08:54.950 --> 01:08:55.990]  nine, nine.
[01:08:55.990 --> 01:08:59.210]  And in fact, that is what we find as the master key
[01:08:59.210 --> 01:09:01.370]  in this particular system.
[01:09:01.490 --> 01:09:03.290]  So that's pretty neat.
[01:09:03.630 --> 01:09:08.170]  Given just a key for a mastered lock
[01:09:08.170 --> 01:09:10.050]  and access to the lock itself,
[01:09:10.050 --> 01:09:13.790]  we can actually derive the master key entirely from that.
[01:09:13.910 --> 01:09:14.870]  The other thing we can do
[01:09:14.870 --> 01:09:16.550]  if we don't want to disassemble locks
[01:09:16.550 --> 01:09:18.790]  is we can combine information
[01:09:19.310 --> 01:09:22.250]  from a number of these low-level change keys
[01:09:22.250 --> 01:09:23.950]  and use that to determine
[01:09:23.950 --> 01:09:27.890]  what the master key could possibly be in a system.
[01:09:28.110 --> 01:09:31.310]  So let's say we have a Schlage system,
[01:09:31.310 --> 01:09:34.630]  so five pins and 10 depths each,
[01:09:34.630 --> 01:09:36.730]  and Schlage is zero base numbering.
[01:09:37.530 --> 01:09:39.190]  The master key in this system
[01:09:39.190 --> 01:09:42.150]  could be any one of a hundred thousand possibilities.
[01:09:42.410 --> 01:09:44.470]  If we know what one change key is,
[01:09:44.470 --> 01:09:47.630]  let's say it's two, six, three, five, zero.
[01:09:49.170 --> 01:09:52.250]  And we go ahead and add that as a rule.
[01:09:53.950 --> 01:09:56.950]  We now have, instead of 10 to the five,
[01:09:56.950 --> 01:09:58.110]  we have nine to the five.
[01:09:58.110 --> 01:09:59.930]  So a little better, but not great.
[01:10:00.370 --> 01:10:04.470]  What we do see though is that in a Schlage system,
[01:10:04.470 --> 01:10:07.250]  remember I talked about how if we have a pin
[01:10:07.250 --> 01:10:10.170]  that's one too low or a little bit too high,
[01:10:10.170 --> 01:10:13.430]  the lock might still accept it for a very worn out lock.
[01:10:13.430 --> 01:10:15.090]  And that would be a bad thing
[01:10:15.090 --> 01:10:17.630]  for a lock to accidentally accept
[01:10:18.130 --> 01:10:20.710]  a key that's not a master key as if it were.
[01:10:20.870 --> 01:10:22.550]  So what Schlage does to avoid that
[01:10:22.550 --> 01:10:24.970]  is uses what's called the two-step system.
[01:10:25.410 --> 01:10:31.350]  Every position that any key in this system will take
[01:10:31.350 --> 01:10:34.670]  in pin one is going to be even, pin two will be even,
[01:10:34.670 --> 01:10:36.490]  pin three will be odd, et cetera.
[01:10:36.490 --> 01:10:39.510]  So we're always skipping every other depth
[01:10:39.510 --> 01:10:42.050]  to make sure that we don't have anything that's too close
[01:10:42.050 --> 01:10:43.570]  and is going to create problems
[01:10:44.110 --> 01:10:47.490]  with keys operating locks they're not supposed to.
[01:10:48.030 --> 01:10:50.650]  So what that means when we turn on the two-step system here
[01:10:50.650 --> 01:10:54.030]  is it severely limits our key space.
[01:10:54.330 --> 01:10:58.870]  Now pin one must be even, so zero, two, four, six, eight,
[01:10:58.870 --> 01:11:01.850]  but it can't be a two because that's what our change key is.
[01:11:01.850 --> 01:11:03.470]  And we do that for the rest of the pins
[01:11:03.470 --> 01:11:08.270]  and we get 1024 possibilities, so four to the power of five.
[01:11:08.630 --> 01:11:11.290]  We can get another change key.
[01:11:11.770 --> 01:11:14.590]  And so this is going to be two-step as well, of course.
[01:11:14.790 --> 01:11:19.790]  So that's, let's say, six, four, one, three, two.
[01:11:19.790 --> 01:11:22.550]  If we have another person conspiring to get in on this plan
[01:11:22.550 --> 01:11:24.030]  to derive the master key.
[01:11:24.030 --> 01:11:27.290]  And now we have only three possibilities each.
[01:11:27.290 --> 01:11:32.650]  And if two more people sign on, so four, two, seven, nine,
[01:11:32.650 --> 01:11:37.330]  six, and we've eliminated even more of the possibilities.
[01:11:37.650 --> 01:11:43.230]  And finally, eight, six, three, one, eight.
[01:11:43.690 --> 01:11:46.970]  And we've now got it down to only four possible master keys.
[01:11:46.970 --> 01:11:48.670]  So we could absolutely just make these four
[01:11:48.670 --> 01:11:51.430]  and try them out and hope that one is going to work.
[01:11:51.610 --> 01:11:53.150]  Well, we know one's going to work,
[01:11:53.570 --> 01:11:55.130]  but we can do better than that.
[01:11:55.330 --> 01:11:58.130]  We know that pin one is a zero cut.
[01:11:58.250 --> 01:12:00.450]  Pin two is a zero or an eight,
[01:12:00.450 --> 01:12:02.550]  but an eight is a max violation.
[01:12:02.550 --> 01:12:05.190]  It's too far from pin one, which is zero.
[01:12:05.190 --> 01:12:07.110]  So we know it's zero as well.
[01:12:07.450 --> 01:12:09.010]  And now if you look at pin three,
[01:12:09.010 --> 01:12:10.590]  it could be a five or a nine,
[01:12:10.590 --> 01:12:13.310]  but a nine now is too far from a zero,
[01:12:13.310 --> 01:12:14.770]  which we know pin two is.
[01:12:14.770 --> 01:12:19.890]  So in fact, the master key is going to be 00574.
[01:12:19.890 --> 01:12:22.690]  And if we add this max rule of seven,
[01:12:22.690 --> 01:12:24.710]  we find that that's the case.
[01:12:24.750 --> 01:12:26.990]  So by combining these multiple change keys,
[01:12:26.990 --> 01:12:28.890]  we've been able to derive the master key
[01:12:28.890 --> 01:12:30.750]  without taking a lock apart,
[01:12:30.750 --> 01:12:34.950]  just by using the information on those change keys.
[01:12:35.230 --> 01:12:37.710]  From an information theory perspective,
[01:12:38.110 --> 01:12:40.370]  we can calculate these conditional entropies
[01:12:40.370 --> 01:12:42.810]  from the rules that we've been looking at.
[01:12:42.810 --> 01:12:45.710]  And we see that we have a lot of shared information
[01:12:45.710 --> 01:12:46.590]  between them.
[01:12:46.590 --> 01:12:48.730]  That's because each of these rules tells us
[01:12:48.730 --> 01:12:50.050]  that it's on a two-step system,
[01:12:50.050 --> 01:12:53.110]  which knocks out one out of every two position
[01:12:53.110 --> 01:12:54.810]  in every single pin.
[01:12:54.810 --> 01:12:57.250]  So that's a lot of information that gives us,
[01:12:57.250 --> 01:12:58.310]  four and a half bits,
[01:12:58.310 --> 01:13:01.870]  as well as we're knocking out an additional depth
[01:13:01.870 --> 01:13:05.090]  from each pin from each of these keys that we have.
[01:13:05.090 --> 01:13:06.930]  And so that's these two bits here.
[01:13:06.930 --> 01:13:08.310]  So between all that,
[01:13:08.310 --> 01:13:10.230]  it gives us a lot of information
[01:13:10.230 --> 01:13:12.230]  that we can then use to determine
[01:13:12.690 --> 01:13:15.610]  what that master code actually is.
[01:13:15.610 --> 01:13:18.730]  So we can actually derive the master key for a system
[01:13:18.730 --> 01:13:22.130]  using just one lock and one key for that lock
[01:13:22.130 --> 01:13:24.330]  without ever taking that lock apart,
[01:13:24.330 --> 01:13:27.350]  using a technique called Wright's amplification.
[01:13:27.350 --> 01:13:29.430]  So this has been known to locksmiths for decades.
[01:13:29.630 --> 01:13:32.590]  And it was first made known in the InfoSec community
[01:13:32.590 --> 01:13:35.610]  with the 2003 paper by Matt Blaze.
[01:13:35.650 --> 01:13:38.190]  The general technique looks like this.
[01:13:38.190 --> 01:13:40.510]  So Alice has a key for her lock.
[01:13:40.510 --> 01:13:42.210]  And of course it works on her lock.
[01:13:42.210 --> 01:13:44.030]  And she knows that the master key,
[01:13:44.030 --> 01:13:45.090]  whatever it is,
[01:13:45.090 --> 01:13:47.670]  is going to operate on different shear lines
[01:13:47.670 --> 01:13:49.290]  than her key does.
[01:13:49.290 --> 01:13:51.610]  So she needs to find what the other shear lines are
[01:13:51.610 --> 01:13:52.970]  in her lock.
[01:13:52.970 --> 01:13:55.090]  The way she can do that,
[01:13:55.090 --> 01:13:56.750]  is while looking at her key,
[01:13:56.750 --> 01:13:58.870]  it has a zero cut in pin three.
[01:13:58.870 --> 01:14:00.210]  So that's a good place to start
[01:14:00.210 --> 01:14:02.270]  because we can start varying
[01:14:03.090 --> 01:14:05.930]  what that depth is just in pin three.
[01:14:06.310 --> 01:14:08.170]  And if we leave everything else to say,
[01:14:08.170 --> 01:14:08.970]  it's going to work.
[01:14:08.970 --> 01:14:10.750]  So if the lock does not open,
[01:14:10.750 --> 01:14:12.630]  it's only because of the pin three.
[01:14:12.630 --> 01:14:13.490]  And if it does,
[01:14:13.490 --> 01:14:15.670]  we know we found a shear line in pin three.
[01:14:16.130 --> 01:14:18.350]  So cut zero is what her key is.
[01:14:18.350 --> 01:14:20.250]  So it's definitely going to work.
[01:14:20.250 --> 01:14:21.950]  She brings it down to a cut one.
[01:14:21.950 --> 01:14:23.150]  Can we try it?
[01:14:23.290 --> 01:14:24.670]  And it doesn't work.
[01:14:24.670 --> 01:14:25.630]  So she pulls it out
[01:14:26.210 --> 01:14:27.470]  and tries a cut two
[01:14:27.470 --> 01:14:29.390]  and tries it in her lock.
[01:14:29.750 --> 01:14:31.230]  And it does work.
[01:14:31.290 --> 01:14:33.390]  So now Alice knows that she's actually deduced
[01:14:33.390 --> 01:14:37.190]  the master shear line in pin three.
[01:14:38.950 --> 01:14:41.230]  And that's because it's the other shear line
[01:14:41.230 --> 01:14:42.970]  that works in her lock.
[01:14:42.970 --> 01:14:45.070]  So she can take her modified key.
[01:14:45.070 --> 01:14:45.930]  So Alice's key
[01:14:46.570 --> 01:14:48.950]  and file it down to a two
[01:14:48.950 --> 01:14:50.930]  and try it in Bob's lock.
[01:14:50.930 --> 01:14:52.330]  And it also works
[01:14:52.330 --> 01:14:54.550]  because Bob's lock is very close to hers
[01:14:54.550 --> 01:14:55.930]  on the same system.
[01:14:55.930 --> 01:14:57.990]  Bob is a two, she's a one.
[01:14:59.150 --> 01:15:01.810]  Alice can then go and take her modified key.
[01:15:02.130 --> 01:15:04.410]  So we take Alice's key
[01:15:05.050 --> 01:15:09.450]  and we modify it from a zero down to a two.
[01:15:09.510 --> 01:15:11.610]  And we can try it in Charlie's lock.
[01:15:11.610 --> 01:15:13.610]  And it doesn't work, which is no surprise.
[01:15:13.610 --> 01:15:15.650]  Charlie's lock is B34.
[01:15:15.650 --> 01:15:17.650]  It's very far from Alice's.
[01:15:17.730 --> 01:15:20.710]  And she's only found one of the master deaths.
[01:15:20.710 --> 01:15:22.870]  So she's going to need to repeat this.
[01:15:23.130 --> 01:15:26.710]  Her new sub master key is 31234.
[01:15:27.350 --> 01:15:31.250]  She can get a new key cut that's at 01234
[01:15:31.850 --> 01:15:36.210]  and try the zero cut to see if it might be a shear line.
[01:15:36.210 --> 01:15:38.030]  And as it turns out, it is.
[01:15:38.510 --> 01:15:44.050]  So we now have a master death in pin one and pin three.
[01:15:44.050 --> 01:15:48.990]  So now we get a key cut 00234.
[01:15:49.290 --> 01:15:50.750]  And we try that.
[01:15:51.790 --> 01:15:54.390]  It does not work in her lock.
[01:15:54.390 --> 01:15:56.570]  So she pulls it out and files it down to a one
[01:15:56.570 --> 01:15:58.870]  to try the next position.
[01:15:59.410 --> 01:16:00.670]  And of course it does work,
[01:16:00.670 --> 01:16:04.450]  which we knew because that was what her key was originally.
[01:16:04.450 --> 01:16:08.170]  So we take it down to a two and we try it.
[01:16:08.270 --> 01:16:09.890]  It doesn't work.
[01:16:10.550 --> 01:16:13.870]  Take it down to a three, try that in her lock.
[01:16:13.870 --> 01:16:15.030]  And it does work.
[01:16:15.030 --> 01:16:20.150]  So now we found the master depths for pin one, two,
[01:16:20.150 --> 01:16:24.730]  and three in Alice's lock by finding the other shear lines.
[01:16:24.730 --> 01:16:26.210]  We can keep going.
[01:16:26.790 --> 01:16:27.790]  03234.
[01:16:27.790 --> 01:16:32.050]  We're going to get a new key cut with four as the highest.
[01:16:32.050 --> 01:16:37.870]  So 02304, and we'll put that in.
[01:16:37.930 --> 01:16:40.130]  And she tries it and it doesn't work.
[01:16:40.130 --> 01:16:42.850]  And so she files it down to a one, tries it.
[01:16:42.850 --> 01:16:44.010]  It doesn't work.
[01:16:44.010 --> 01:16:46.150]  Two tries, doesn't work.
[01:16:46.170 --> 01:16:47.830]  Three tries.
[01:16:47.830 --> 01:16:50.470]  It does work, but we sort of knew that
[01:16:50.470 --> 01:16:53.630]  that was what her key was originally.
[01:16:53.630 --> 01:16:55.050]  So we keep going.
[01:16:55.050 --> 01:16:58.490]  A four, we try it, doesn't work.
[01:16:58.530 --> 01:17:01.270]  File it down to a five, we try it and it does work.
[01:17:01.270 --> 01:17:03.870]  So now Alice has found the master depth
[01:17:03.870 --> 01:17:07.950]  in pins one through four using her lock.
[01:17:08.370 --> 01:17:12.590]  And so now we have 0325 is our master depths.
[01:17:12.590 --> 01:17:15.810]  And then we want to find out what the master is
[01:17:15.810 --> 01:17:17.050]  in pin five as well.
[01:17:17.050 --> 01:17:20.110]  So we put it to a zero, but that's a max violation.
[01:17:20.110 --> 01:17:23.330]  So we put it to a one and we try that.
[01:17:23.330 --> 01:17:25.510]  And it does not work.
[01:17:25.770 --> 01:17:28.690]  You put it down to a two and it does work.
[01:17:28.690 --> 01:17:30.550]  And Alice's key originally was a four.
[01:17:30.550 --> 01:17:35.770]  So we now have a two as our master depth in pin five.
[01:17:35.770 --> 01:17:40.670]  So our master code should be 03252.
[01:17:41.030 --> 01:17:44.630]  Alice can try this in Bob's lock as a sanity check.
[01:17:49.270 --> 01:17:53.310]  So 03252, and she tries it and it does work.
[01:17:53.330 --> 01:17:54.970]  So that's a very good sign.
[01:17:54.970 --> 01:17:57.290]  And then Charlie's lock is the real test.
[01:18:02.510 --> 01:18:03.630]  03252.
[01:18:04.630 --> 01:18:08.310]  And she tries that and it works in Charlie's lock as well.
[01:18:08.390 --> 01:18:13.890]  So by sweeping all possible depths in each pin
[01:18:14.490 --> 01:18:17.550]  within Alice's lock and seeing if it still works
[01:18:17.550 --> 01:18:20.010]  on each depth, Alice is able to discover
[01:18:20.010 --> 01:18:22.430]  what the other shear lines are in her lock
[01:18:22.430 --> 01:18:24.950]  by modifying her currently working key
[01:18:25.330 --> 01:18:28.310]  and in doing so deduce the grand master key
[01:18:28.950 --> 01:18:33.030]  that is going to work in every lock on this system.
[01:18:33.150 --> 01:18:35.110]  So one additional interesting lock configuration
[01:18:35.110 --> 01:18:36.610]  that gives us a little bit of information
[01:18:36.610 --> 01:18:38.850]  is a construction keyed system.
[01:18:38.850 --> 01:18:41.810]  So let's take a look at what that actually is.
[01:18:41.970 --> 01:18:43.650]  In a construction lock system,
[01:18:43.650 --> 01:18:47.930]  we have instead of one master wafer, a smaller ball bearing.
[01:18:47.930 --> 01:18:49.790]  And that acts as a master wafer
[01:18:49.790 --> 01:18:51.970]  while the building is under construction,
[01:18:51.970 --> 01:18:54.450]  being used by the construction master key.
[01:18:54.450 --> 01:18:56.270]  So it goes in and it works
[01:18:56.270 --> 01:18:58.450]  and that ball bearing is below the shear line.
[01:18:58.450 --> 01:19:01.870]  And so it operates as a master wafer.
[01:19:01.890 --> 01:19:05.050]  What happens though, when construction is done
[01:19:05.050 --> 01:19:07.970]  and the user comes along with the grand master key
[01:19:07.970 --> 01:19:12.370]  is it is a little bit higher by that ball bearing
[01:19:12.370 --> 01:19:14.130]  than the construction master.
[01:19:14.190 --> 01:19:16.430]  And it goes in and it lifts that ball bearing
[01:19:16.430 --> 01:19:18.090]  above the shear line.
[01:19:18.090 --> 01:19:20.130]  Well, what happens then,
[01:19:20.130 --> 01:19:24.010]  the construction core is a little bit special as well.
[01:19:24.390 --> 01:19:28.770]  It contains a number of holes in it
[01:19:28.770 --> 01:19:33.110]  that are going to line up with the top of the pin stack
[01:19:33.110 --> 01:19:35.550]  when that core starts to get turned.
[01:19:35.550 --> 01:19:38.750]  That ball bearing that's now in the upper pin stack
[01:19:38.750 --> 01:19:43.170]  is actually going to get dropped into one of these holes,
[01:19:43.170 --> 01:19:46.770]  at which point it stays trapped there forever.
[01:19:49.310 --> 01:19:52.370]  So in the lock, when the new user of the building
[01:19:52.370 --> 01:19:55.530]  turns this key, this ball bearing is going to drop out
[01:19:56.170 --> 01:19:58.210]  and it stays gone forever,
[01:19:58.210 --> 01:20:00.030]  or it stays trapped in that hole,
[01:20:00.030 --> 01:20:02.430]  at which point it's like that ball bearing
[01:20:02.430 --> 01:20:05.510]  or that shear line no longer exists.
[01:20:05.510 --> 01:20:07.850]  So the grand master key continues to work,
[01:20:07.850 --> 01:20:10.310]  but if the construction worker ever comes back
[01:20:10.310 --> 01:20:13.050]  and tries to get the construction master to work,
[01:20:13.050 --> 01:20:15.450]  it's not going to, it's going to bind in this shear line
[01:20:15.450 --> 01:20:17.290]  because that ball bearing is gone.
[01:20:18.090 --> 01:20:20.130]  So there's two things we can do with this.
[01:20:20.170 --> 01:20:22.130]  One is, if a construction worker
[01:20:22.130 --> 01:20:23.690]  still has the construction master
[01:20:23.690 --> 01:20:25.410]  and wants to make it work again,
[01:20:25.410 --> 01:20:28.230]  all he has to do is know that there was a ball bearing
[01:20:28.230 --> 01:20:30.750]  in pin one and its depth was four.
[01:20:30.970 --> 01:20:33.570]  And so from six, four, nine, four, three,
[01:20:33.570 --> 01:20:39.070]  we can get a key cut to two, four, nine, four, three.
[01:20:39.070 --> 01:20:40.930]  So that's four higher in pin one.
[01:20:41.330 --> 01:20:45.550]  And that is now going to match the new GMK shear line
[01:20:45.550 --> 01:20:47.810]  and it is going to work.
[01:20:47.810 --> 01:20:49.290]  The second thing that we can notice
[01:20:49.290 --> 01:20:52.890]  is that for our new grand master key,
[01:20:52.890 --> 01:20:56.790]  it can't be deeper than a cut six,
[01:20:56.790 --> 01:21:00.090]  because if it is deeper than a cut six,
[01:21:00.090 --> 01:21:02.190]  then the construction key that must have gone with it
[01:21:02.190 --> 01:21:04.050]  is four less than that.
[01:21:04.050 --> 01:21:06.110]  Well, four less than six is a 10 cut,
[01:21:06.110 --> 01:21:09.390]  and that's not possible in this particular system,
[01:21:09.390 --> 01:21:11.090]  which goes from one to 10.
[01:21:11.750 --> 01:21:15.330]  So we can add that to our rule set.
[01:21:15.330 --> 01:21:17.070]  And we have 10,000 possibilities
[01:21:17.070 --> 01:21:19.270]  reduced to 80,000 after max.
[01:21:19.390 --> 01:21:21.430]  And we add a construction key and rule
[01:21:21.430 --> 01:21:24.930]  that in pin one, there was a ball bearing with thickness four
[01:21:25.570 --> 01:21:26.910]  and the master construction key
[01:21:26.910 --> 01:21:29.850]  also has to have a max of seven.
[01:21:30.150 --> 01:21:32.730]  And it'll take the computer a few seconds to crunch that.
[01:21:32.730 --> 01:21:34.770]  And we see that these bottom four positions
[01:21:34.770 --> 01:21:36.550]  cannot be that master key
[01:21:36.990 --> 01:21:39.370]  because there would have been no possible construction key
[01:21:39.370 --> 01:21:41.250]  to make from it.
[01:21:41.390 --> 01:21:44.310]  The max requirement for the construction key
[01:21:44.310 --> 01:21:45.470]  and the grand master key
[01:21:45.470 --> 01:21:47.310]  with a difference of four in pin one
[01:21:47.950 --> 01:21:51.470]  further limits what lock or what key differs
[01:21:51.470 --> 01:21:54.690]  are available to be our master key.
[01:21:55.510 --> 01:21:58.510]  So that's one interesting type of system.
[01:21:58.510 --> 01:22:01.950]  Another is what's called interchangeable core systems.
[01:22:02.070 --> 01:22:04.330]  So if you have ever seen locks that look like this,
[01:22:04.330 --> 01:22:06.810]  they have a figure eight shape around them.
[01:22:06.810 --> 01:22:08.590]  That's because that figure eight shape
[01:22:08.590 --> 01:22:09.910]  is actually removable.
[01:22:09.910 --> 01:22:12.670]  And there's a little locking log that keeps it in place,
[01:22:12.670 --> 01:22:14.890]  but with a special key called a control key,
[01:22:14.890 --> 01:22:16.630]  we can remove it.
[01:22:16.830 --> 01:22:18.110]  So the way that this works
[01:22:19.210 --> 01:22:25.610]  is we have our IC core that looks something like this.
[01:22:25.870 --> 01:22:28.750]  And when we normally operate it,
[01:22:30.090 --> 01:22:32.530]  it's going to turn just the plug
[01:22:32.530 --> 01:22:34.430]  and the core stays in place.
[01:22:34.430 --> 01:22:36.490]  But when we use a special control key,
[01:22:36.490 --> 01:22:38.030]  it's going to turn slightly
[01:22:38.030 --> 01:22:42.530]  and retract this IC locking log.
[01:22:43.410 --> 01:22:47.390]  The way that that works is if we look at
[01:22:50.610 --> 01:22:53.410]  just the core and the IC collar,
[01:22:53.410 --> 01:22:55.310]  we have two shear lines.
[01:22:55.310 --> 01:22:59.410]  One is matching where the plug is,
[01:22:59.410 --> 01:23:01.510]  and one is a little bit higher,
[01:23:01.510 --> 01:23:04.430]  and it's going to be just for the IC collar.
[01:23:04.430 --> 01:23:08.310]  So if our pins have a shear line all matching the plug,
[01:23:08.310 --> 01:23:11.110]  then the plug is going to turn,
[01:23:12.050 --> 01:23:13.630]  but the collar will not.
[01:23:13.630 --> 01:23:16.730]  And so this is a standard unlocking of this lock.
[01:23:16.730 --> 01:23:19.410]  If however, the pins extend up
[01:23:19.410 --> 01:23:21.630]  and we have a shear line across these two pins,
[01:23:21.630 --> 01:23:25.970]  and then the upper shear line on the IC collar,
[01:23:25.970 --> 01:23:27.850]  and then these two as well,
[01:23:27.850 --> 01:23:30.610]  then what happens is our interchangeable collar
[01:23:30.610 --> 01:23:33.150]  gets retracted and it allows us
[01:23:33.150 --> 01:23:35.730]  to remove this particular lock.
[01:23:36.570 --> 01:23:40.710]  This is very interesting when we look at systems
[01:23:40.710 --> 01:23:42.290]  that do not have an IC collar
[01:23:42.290 --> 01:23:44.230]  that extends across all the pins.
[01:23:44.230 --> 01:23:47.730]  In this case, it only uses pins three and four,
[01:23:47.730 --> 01:23:51.170]  and that creates a number of interesting properties.
[01:23:51.790 --> 01:23:54.190]  So one of those properties is,
[01:23:54.190 --> 01:23:57.710]  let's make this into a Medeco system.
[01:24:01.100 --> 01:24:03.860]  We can see this collar here.
[01:24:03.960 --> 01:24:07.800]  And so we have this lower shear line with the plug
[01:24:07.800 --> 01:24:10.180]  and this upper shear line for the IC collar.
[01:24:10.180 --> 01:24:11.640]  And that's what we're going to look at
[01:24:11.640 --> 01:24:14.020]  when we examine how these locks work
[01:24:14.020 --> 01:24:15.920]  in terms of the bidding.
[01:24:18.180 --> 01:24:20.800]  So what's powerful about how they work
[01:24:20.800 --> 01:24:22.600]  in terms of the bidding,
[01:24:22.960 --> 01:24:24.860]  in terms of getting us information,
[01:24:24.860 --> 01:24:27.260]  is the way many locksmiths do it up.
[01:24:27.260 --> 01:24:29.240]  And so we'll use Medeco as an example,
[01:24:29.240 --> 01:24:30.420]  because as we'll see,
[01:24:30.420 --> 01:24:33.800]  it creates a very restricted set of possible master keys
[01:24:33.800 --> 01:24:37.240]  for IC core systems in many, many cases.
[01:24:37.240 --> 01:24:41.460]  So we have our change key and we put it into the lock
[01:24:42.300 --> 01:24:47.440]  and it unlocks to the regular shear line.
[01:24:47.440 --> 01:24:50.760]  And so we turn the key, it unlocks regularly.
[01:24:50.840 --> 01:24:54.940]  And our master key is completely different bits, of course,
[01:24:54.940 --> 01:24:56.080]  completely different heights,
[01:24:56.080 --> 01:24:59.040]  but it also unlocks to our regular shear line
[01:24:59.040 --> 01:25:02.740]  and the interchangeable shear line binds.
[01:25:02.740 --> 01:25:04.980]  So that does not actually open.
[01:25:04.980 --> 01:25:08.720]  However, when we put in our core remove key,
[01:25:08.720 --> 01:25:12.200]  it now binds between the core and the IC collar,
[01:25:12.200 --> 01:25:15.560]  but has a shear line at the top of the IC collar.
[01:25:15.800 --> 01:25:18.020]  So when we turn that, it's going to turn the IC collar
[01:25:18.980 --> 01:25:22.440]  and release it and allow us to remove that IC core.
[01:25:22.440 --> 01:25:26.060]  And we see now that it works on this upper shear line,
[01:25:26.060 --> 01:25:27.060]  as well as, of course,
[01:25:27.060 --> 01:25:30.260]  the lower ones have to work for the plug to turn as well.
[01:25:31.360 --> 01:25:33.100]  What many locksmiths do
[01:25:33.100 --> 01:25:36.260]  in order to avoid having to have multiple shear lines
[01:25:36.260 --> 01:25:37.180]  in a pin stack,
[01:25:37.180 --> 01:25:40.600]  and also avoid limitations on the mastering system,
[01:25:40.600 --> 01:25:43.600]  is they will have the change key,
[01:25:43.600 --> 01:25:45.760]  or sorry, the core remove key,
[01:25:45.760 --> 01:25:49.400]  simply be three positions higher than the master key
[01:25:49.400 --> 01:25:52.980]  in those two IC collar control pins.
[01:25:52.980 --> 01:25:55.380]  It doesn't have to be done this way.
[01:25:55.600 --> 01:25:58.260]  We could do something a little bit different.
[01:25:58.260 --> 01:25:59.920]  We could have our core remove key,
[01:25:59.920 --> 01:26:03.200]  say be something a bit lower,
[01:26:03.200 --> 01:26:11.660]  and then have our core control position be at an eight cut.
[01:26:11.660 --> 01:26:14.300]  So that wouldn't be ever possible to create a key that deep,
[01:26:14.300 --> 01:26:16.140]  but it will remove the core.
[01:26:16.700 --> 01:26:19.460]  But many locksmiths don't do that
[01:26:19.460 --> 01:26:21.080]  because it requires more pins,
[01:26:21.080 --> 01:26:25.800]  as well as it restricts the size of your mastering system.
[01:26:25.800 --> 01:26:28.480]  And this is true, particularly for Medeco.
[01:26:29.040 --> 01:26:31.720]  We see empirically about two thirds of the time
[01:26:31.720 --> 01:26:34.660]  this being done with the grandmaster key
[01:26:34.660 --> 01:26:38.140]  and the core remove key just being three positions different
[01:26:38.520 --> 01:26:41.760]  in those two middle positions.
[01:26:42.180 --> 01:26:45.820]  In Medeco, that becomes incredibly powerful actually
[01:26:46.400 --> 01:26:51.700]  for deducing what the master key is going to be.
[01:26:52.300 --> 01:26:56.080]  So in a 12 cut Medeco key,
[01:26:56.080 --> 01:27:00.080]  so Medeco can have two cuts, double cuts in some positions
[01:27:00.080 --> 01:27:03.260]  or all of them to create a high level master key.
[01:27:03.260 --> 01:27:04.600]  And we'll talk a little bit more later
[01:27:04.600 --> 01:27:07.120]  about what that specifically means.
[01:27:07.120 --> 01:27:09.360]  But because these double cuts are so wide,
[01:27:09.360 --> 01:27:11.440]  the max is very small.
[01:27:11.440 --> 01:27:15.680]  It's a two between a double cut and a double cut.
[01:27:15.680 --> 01:27:19.320]  And so that already, that max of two severely limits
[01:27:19.320 --> 01:27:22.180]  what a Medeco system can take on.
[01:27:22.180 --> 01:27:25.880]  So Medeco system would have six depths, usually six pins
[01:27:27.320 --> 01:27:30.700]  and it has a max of only two.
[01:27:32.040 --> 01:27:34.600]  And so that reduces us from 46,000
[01:27:34.600 --> 01:27:40.060]  down to only 7,300 possible combinations.
[01:27:40.060 --> 01:27:45.240]  But what the IC core does is significantly more restrictive
[01:27:45.960 --> 01:27:51.460]  because if we want to make the IC control key three higher
[01:27:51.460 --> 01:27:53.500]  than the master key,
[01:27:53.500 --> 01:27:56.220]  that means that the master key can't be a one, two or three
[01:27:56.720 --> 01:27:59.060]  in pins three and four.
[01:27:59.480 --> 01:28:02.400]  And so we'll add that rule there as well.
[01:28:02.420 --> 01:28:07.160]  And the master control key has to adhere to max in addition.
[01:28:07.160 --> 01:28:09.900]  So we'll see the effect that that has when we add this rule
[01:28:10.280 --> 01:28:12.300]  and it'll take a second to compute.
[01:28:12.840 --> 01:28:14.700]  And so what we see is,
[01:28:14.700 --> 01:28:16.880]  these three positions cannot be held
[01:28:16.880 --> 01:28:19.080]  by pins three or four in the master system.
[01:28:19.080 --> 01:28:22.060]  So the master is forced down to four, five and six.
[01:28:22.160 --> 01:28:24.740]  In addition, pin two can't be a one
[01:28:24.740 --> 01:28:26.860]  because that's a max violation.
[01:28:26.860 --> 01:28:28.580]  Master must be four or lower.
[01:28:28.580 --> 01:28:31.740]  So it can't go up three, the max is two.
[01:28:32.180 --> 01:28:36.520]  Pins six or pin two and pin five can't be a six depth
[01:28:36.520 --> 01:28:38.240]  because that would be a max violation
[01:28:38.240 --> 01:28:41.340]  for the interchangeable core control key.
[01:28:41.340 --> 01:28:45.400]  If our grand master key is the deepest, it's a six cut.
[01:28:45.400 --> 01:28:48.700]  That means our IC core is three higher or a three cut.
[01:28:48.700 --> 01:28:50.900]  And we can't have a six beside a three
[01:28:50.900 --> 01:28:54.080]  in our interchangeable core master key.
[01:28:54.080 --> 01:28:57.360]  So that significantly reduces the key space available
[01:28:57.360 --> 01:29:00.120]  in these types of medical systems.
[01:29:00.260 --> 01:29:03.520]  Right now, it's down to 784.
[01:29:03.640 --> 01:29:05.820]  It gets even more restricted than that
[01:29:05.820 --> 01:29:07.600]  for the following reason.
[01:29:08.080 --> 01:29:09.340]  It's generally a good idea
[01:29:09.340 --> 01:29:12.780]  to have our master key use at least one pin
[01:29:12.780 --> 01:29:14.580]  in the highest position.
[01:29:14.580 --> 01:29:17.480]  And that way we can make sure that none of our change keys
[01:29:17.480 --> 01:29:20.800]  will be able to be filed down into a master key.
[01:29:20.800 --> 01:29:22.320]  We could have one a bit lower,
[01:29:22.320 --> 01:29:24.020]  but that's then gonna restrict how large
[01:29:24.020 --> 01:29:27.640]  our master system can grow while adhering to that rule.
[01:29:27.740 --> 01:29:29.980]  If we look at the limitations imposed
[01:29:29.980 --> 01:29:31.840]  by this particular system,
[01:29:31.840 --> 01:29:33.620]  we'll see that there's only two places
[01:29:34.000 --> 01:29:39.320]  that that one cut can go, pin one or pin six.
[01:29:39.340 --> 01:29:44.900]  So if we add a requirement that one pin must be high cut,
[01:29:44.900 --> 01:29:47.460]  and it'll take a minute to compute that as well,
[01:29:47.460 --> 01:29:49.180]  we're gonna see that we're now down
[01:29:49.180 --> 01:29:53.160]  to 159 possible master keys.
[01:29:53.160 --> 01:29:55.700]  That is a significant limitation,
[01:29:55.700 --> 01:29:58.540]  and that's given very little information
[01:29:58.540 --> 01:30:01.540]  about our Medeco system.
[01:30:01.540 --> 01:30:06.440]  It's given that we have a large facility,
[01:30:06.440 --> 01:30:08.040]  so we can assume that they were planning
[01:30:08.040 --> 01:30:11.920]  for potentially needing to expand to a master key
[01:30:11.920 --> 01:30:14.160]  that's double cut in all positions.
[01:30:14.300 --> 01:30:17.040]  And we see at least one interchangeable cord
[01:30:17.040 --> 01:30:19.260]  somewhere on that system.
[01:30:19.420 --> 01:30:20.720]  And that's it.
[01:30:21.220 --> 01:30:23.240]  Knowing those two things,
[01:30:23.240 --> 01:30:26.240]  we can infer that with about a two thirds probability,
[01:30:26.240 --> 01:30:28.180]  our master key is going to be limited
[01:30:28.180 --> 01:30:30.660]  to one of these 159.
[01:30:30.660 --> 01:30:32.560]  It gets even less than that,
[01:30:32.560 --> 01:30:36.840]  because it usually makes sense to put
[01:30:36.840 --> 01:30:39.600]  your one depth in pin one,
[01:30:39.600 --> 01:30:41.340]  and that way the key is nice and sturdy,
[01:30:41.340 --> 01:30:42.400]  it's not gonna break.
[01:30:42.400 --> 01:30:44.720]  We don't wanna put a very deep cut in pin one,
[01:30:44.720 --> 01:30:48.260]  or that grand master key is liable to break off.
[01:30:48.520 --> 01:30:52.360]  And so when we add that particular requirement,
[01:30:53.500 --> 01:30:57.780]  it then is only 84 differs that follow through in pin one,
[01:30:57.780 --> 01:31:01.560]  and we can see max restricts this incredibly tightly.
[01:31:01.580 --> 01:31:05.480]  So there's the 84 possible situations that could exist
[01:31:06.040 --> 01:31:09.280]  if locksmiths do what a lot of them do
[01:31:09.280 --> 01:31:11.000]  when designing medical systems,
[01:31:11.000 --> 01:31:12.660]  which is follow these constraints.
[01:31:12.660 --> 01:31:15.320]  It limits the key space significantly.
[01:31:15.320 --> 01:31:16.620]  Now they don't need to.
[01:31:16.620 --> 01:31:20.040]  They don't need to use a pin at the highest one.
[01:31:20.040 --> 01:31:22.160]  They could put it in pin six instead.
[01:31:22.160 --> 01:31:24.360]  And of course they could do up their IC system
[01:31:24.360 --> 01:31:27.240]  so that it doesn't require their master key to be low
[01:31:27.240 --> 01:31:28.980]  in pins three and four.
[01:31:29.240 --> 01:31:31.660]  But most locksmiths don't really think about
[01:31:31.660 --> 01:31:34.320]  the key space reduction that they are creating
[01:31:34.320 --> 01:31:36.900]  in terms of brute forcing this master key
[01:31:36.900 --> 01:31:39.180]  when they're designing that system.
[01:31:39.180 --> 01:31:42.900]  And so that's why this is something that's so common to see.
[01:31:43.840 --> 01:31:45.980]  A couple other things that we can note
[01:31:45.980 --> 01:31:47.620]  about this particular system
[01:31:47.620 --> 01:31:52.780]  is that if we have a master key or even a change key,
[01:31:52.780 --> 01:31:54.400]  so just this change key,
[01:31:54.400 --> 01:31:57.920]  now all we need to do is vary and do right simplification
[01:31:57.920 --> 01:32:00.760]  on these two middle pins
[01:32:00.760 --> 01:32:03.320]  to determine what the core remove key is.
[01:32:04.180 --> 01:32:06.660]  Pin three is a five.
[01:32:06.660 --> 01:32:11.140]  And so if we add three to it, it goes to four, three, two.
[01:32:11.140 --> 01:32:15.100]  And now we've hit the IC control line.
[01:32:15.100 --> 01:32:19.820]  And then pin four, we can vary in either direction
[01:32:19.820 --> 01:32:23.300]  to try to hit the IC control line for it as well.
[01:32:23.300 --> 01:32:25.200]  So we only actually have to vary one pin
[01:32:25.200 --> 01:32:30.420]  to go from our change key to an operable control key.
[01:32:30.420 --> 01:32:32.340]  It's just going to be for this lock.
[01:32:32.340 --> 01:32:35.240]  But what it lets us do is remove the IC core
[01:32:35.240 --> 01:32:36.640]  and then we can take it apart
[01:32:36.640 --> 01:32:38.080]  and disassembly of the lock
[01:32:38.080 --> 01:32:42.460]  then will let us derive the master key from that.
[01:32:43.140 --> 01:32:46.420]  Other types of locks have a similar situation.
[01:32:47.160 --> 01:32:51.940]  So Schlage and Yale control keys
[01:32:51.940 --> 01:32:54.120]  use a slightly different technology.
[01:32:54.120 --> 01:32:56.740]  They have a special seventh pin in the back
[01:32:56.740 --> 01:32:58.800]  where if the key is a bit longer,
[01:32:58.800 --> 01:32:59.740]  in the case of Schlage,
[01:32:59.740 --> 01:33:02.380]  it has this special nose on it sticking out.
[01:33:02.380 --> 01:33:04.940]  It's going to actuate that seventh pin,
[01:33:04.940 --> 01:33:07.680]  which will pull in this little retaining lug.
[01:33:07.680 --> 01:33:10.400]  And when it does that, you can then remove the core.
[01:33:10.520 --> 01:33:14.440]  So if you have an operable key for this particular lock,
[01:33:14.440 --> 01:33:16.540]  all you need to do is copy that key
[01:33:16.540 --> 01:33:18.360]  onto a slightly longer blank
[01:33:18.360 --> 01:33:21.360]  that contains this little nose on it.
[01:33:21.360 --> 01:33:23.580]  And you can use that key to remove the core,
[01:33:23.580 --> 01:33:25.960]  at which point you can then disassemble it
[01:33:25.960 --> 01:33:27.980]  and deduce the master key.
[01:33:27.980 --> 01:33:30.420]  Let's look at some right-samplification attacks
[01:33:30.420 --> 01:33:33.340]  in some special secondary locking systems.
[01:33:33.360 --> 01:33:34.780]  So we'll start with Multilock,
[01:33:34.780 --> 01:33:37.720]  which has got a nice pin-in-pin system
[01:33:37.720 --> 01:33:39.920]  that we can attack using all the other techniques
[01:33:39.920 --> 01:33:41.520]  that we've talked about in this talk.
[01:33:41.560 --> 01:33:45.580]  But it also has side pins that are used for mastering.
[01:33:45.780 --> 01:33:47.160]  And effectively, these side pins
[01:33:47.160 --> 01:33:49.160]  are going to fit into these side dimples
[01:33:49.160 --> 01:33:50.620]  drilled into the key.
[01:33:50.900 --> 01:33:53.200]  And in this case, we have a correct key.
[01:33:53.200 --> 01:33:54.740]  The side dimples are all there,
[01:33:54.740 --> 01:33:57.480]  so the side pins are able to fit into it.
[01:33:57.480 --> 01:34:00.780]  And they don't impede rotation of the plug.
[01:34:00.780 --> 01:34:02.720]  When an incorrect key is inserted,
[01:34:02.720 --> 01:34:04.200]  there are no dimples,
[01:34:04.200 --> 01:34:06.720]  and so the side pins are forced out into the plug.
[01:34:06.720 --> 01:34:08.100]  And that's actually going to stop us
[01:34:08.100 --> 01:34:09.860]  from rotating that key.
[01:34:10.000 --> 01:34:11.820]  This is used for mastering.
[01:34:11.900 --> 01:34:13.160]  So we have, in this case,
[01:34:13.240 --> 01:34:16.280]  a key that's got four of the five holes drilled.
[01:34:16.280 --> 01:34:18.120]  This is its correct lock.
[01:34:18.120 --> 01:34:20.420]  So these four pins are present,
[01:34:20.420 --> 01:34:22.200]  and the key is able to turn.
[01:34:22.200 --> 01:34:24.820]  For a lock that is not supposed to be able to open,
[01:34:24.820 --> 01:34:27.160]  there'll be a pin populated here as well.
[01:34:27.160 --> 01:34:29.580]  And this lack of a hole prevents that pin
[01:34:29.580 --> 01:34:32.760]  from moving out of the housing,
[01:34:32.760 --> 01:34:35.480]  and it will stop the key from turning.
[01:34:35.960 --> 01:34:39.160]  This is, of course, a trivial thing to amplify.
[01:34:39.160 --> 01:34:41.100]  We just drill an additional hole,
[01:34:41.100 --> 01:34:44.280]  and now all of the mastering that's done
[01:34:44.280 --> 01:34:46.460]  with these side pins has been defeated.
[01:34:46.460 --> 01:34:47.840]  This key will work in anything
[01:34:47.840 --> 01:34:49.320]  regardless of the side pins.
[01:34:49.320 --> 01:34:51.240]  And then we just have to use the other techniques
[01:34:51.240 --> 01:34:55.360]  to right-samplify the top cuts as well.
[01:34:55.360 --> 01:34:59.300]  So that's a very simple right-samplification attack.
[01:34:59.300 --> 01:35:00.860]  You can do something very, very similar
[01:35:00.860 --> 01:35:03.700]  by filing metal off of sectional keyways.
[01:35:03.700 --> 01:35:06.700]  So sometimes mastering is done by having a keyway
[01:35:06.700 --> 01:35:09.820]  that will not enter the keyway of some other lock
[01:35:09.820 --> 01:35:12.520]  that's not supposed to open, or a key that won't.
[01:35:12.520 --> 01:35:14.700]  But then we have a master blank
[01:35:14.700 --> 01:35:16.720]  that's going to enter both of these locks
[01:35:16.720 --> 01:35:19.180]  because it's got metal missing from it.
[01:35:19.400 --> 01:35:21.940]  And so all we need to do to right-samplify there
[01:35:21.940 --> 01:35:24.060]  is take our key that works on
[01:35:24.060 --> 01:35:27.120]  one of the low-level keyways
[01:35:27.120 --> 01:35:31.140]  and just copy that bidding code onto our all section blank
[01:35:31.140 --> 01:35:34.620]  at which point it's going to then enter all of these locks
[01:35:34.620 --> 01:35:37.300]  and we'll be able to open them as well.
[01:35:37.560 --> 01:35:41.860]  With Medeco Biaxial, we see something quite similar.
[01:35:42.500 --> 01:35:46.880]  So Medeco Biaxial has potential for double cuts.
[01:35:47.360 --> 01:35:51.200]  And what we can have is in a particular pin position,
[01:35:51.200 --> 01:35:54.380]  the pin has got this beveled edge to it,
[01:35:54.380 --> 01:35:56.440]  so it goes to one side or another.
[01:35:56.440 --> 01:35:59.640]  It can bevel towards the shoulder of the key and be a forecut
[01:35:59.640 --> 01:36:03.080]  or towards the tip of the key and be an aft cut.
[01:36:03.300 --> 01:36:06.300]  In a master key that's got double cuts,
[01:36:06.300 --> 01:36:08.100]  regardless of whether the lock that we're in
[01:36:08.100 --> 01:36:11.000]  has a forepin or an aft pin,
[01:36:11.000 --> 01:36:15.780]  it's going to interact with that key properly and open it up.
[01:36:16.060 --> 01:36:18.540]  And Medeco uses this for mastering as well.
[01:36:18.540 --> 01:36:21.220]  So a lower level key or a lower level master
[01:36:21.730 --> 01:36:24.140]  might be missing one of these cuts.
[01:36:24.480 --> 01:36:29.740]  We can very easily right-samplify that if we have some mid-level master.
[01:36:29.740 --> 01:36:31.120]  So here's MKA.
[01:36:31.120 --> 01:36:35.400]  It's got five single cuts and a double cut in pin six.
[01:36:35.400 --> 01:36:39.040]  And then we have any old key on the B system.
[01:36:39.360 --> 01:36:43.200]  And so what we see, for instance, is this pin six,
[01:36:43.200 --> 01:36:45.540]  that is a double cut.
[01:36:45.540 --> 01:36:49.520]  Pin five, we have an aft and it's a right cut.
[01:36:49.960 --> 01:36:53.400]  In this key on the B system, in pin five,
[01:36:53.400 --> 01:36:56.500]  we have a fore and it's a left cut.
[01:36:56.600 --> 01:37:00.860]  So what we can do is take a left cut and add it to the fore position
[01:37:01.460 --> 01:37:04.740]  on our MKA at these same master depths.
[01:37:04.740 --> 01:37:08.560]  And that's actually going to amplify this key into a full GMK
[01:37:09.100 --> 01:37:11.480]  that's going to work on all locks,
[01:37:11.480 --> 01:37:14.560]  even if it has an aft pin in that position.
[01:37:14.560 --> 01:37:16.560]  Sorry, a fore pin in that position.
[01:37:16.640 --> 01:37:18.920]  And so we do that for all other positions
[01:37:18.920 --> 01:37:24.140]  where the fore-aft of our B key differs from our MKA.
[01:37:24.140 --> 01:37:30.520]  And we've effectively now amplified the power of our MKA key to be a full GMK
[01:37:31.120 --> 01:37:36.860]  using the information of these angles that we see on this key here.
[01:37:37.000 --> 01:37:41.220]  So now that we understand how the basics of Medico Biaxial works,
[01:37:41.220 --> 01:37:45.980]  we can add a few tools to our arsenal to decode non-mastered Medico systems.
[01:37:46.300 --> 01:37:48.520]  So if we start with a six-pin Medico system,
[01:37:48.520 --> 01:37:52.740]  if it's non-mastered, it's going to follow Medico's code books.
[01:37:53.000 --> 01:37:55.260]  And so the depths are going to follow those code books.
[01:37:55.260 --> 01:37:57.260]  Give the computer a second to compute.
[01:37:57.580 --> 01:38:01.700]  And what we see immediately is that pin one, two, five, and six
[01:38:01.700 --> 01:38:04.940]  will never be a one in a non-mastered system,
[01:38:04.940 --> 01:38:07.440]  at least for this older version of code books
[01:38:07.440 --> 01:38:09.260]  that we're going to be looking at today,
[01:38:09.260 --> 01:38:14.800]  which is true for just about every Medico system created before 2008.
[01:38:15.320 --> 01:38:19.520]  So immediately we see that if we wanted to impression this lock,
[01:38:19.520 --> 01:38:21.480]  and you can impression Medico locks,
[01:38:21.480 --> 01:38:24.460]  we'd start with two, two, one, one, two, two.
[01:38:24.460 --> 01:38:26.600]  And as we went through impressioning this,
[01:38:26.600 --> 01:38:28.940]  we would end up skipping a whole bunch,
[01:38:28.940 --> 01:38:32.840]  increasingly so as we get closer and closer to the final key.
[01:38:33.320 --> 01:38:35.360]  So the code books helps with that.
[01:38:35.360 --> 01:38:37.720]  And of course, if we have a photo that's close
[01:38:37.720 --> 01:38:41.640]  but isn't quite enough to get the exact fitting,
[01:38:41.640 --> 01:38:43.800]  combining that with code books is usually enough
[01:38:43.800 --> 01:38:47.200]  to determine what the depths are.
[01:38:47.660 --> 01:38:53.260]  Medico also has angles though, and the angles also have code books.
[01:38:53.600 --> 01:38:56.220]  So if we add that the code books must follow
[01:38:56.220 --> 01:38:58.940]  Medico's non-mastered angle books,
[01:38:58.940 --> 01:39:02.720]  we see that right away, some of them are given already.
[01:39:02.720 --> 01:39:06.720]  So if we happen to have a pin three in the aft position,
[01:39:06.720 --> 01:39:08.640]  it's going to be a right cut.
[01:39:09.740 --> 01:39:12.680]  This can be useful now that we have this,
[01:39:12.680 --> 01:39:19.000]  if we know whether a particular lock is a four or an aft in each position.
[01:39:19.160 --> 01:39:20.740]  How do we tell that?
[01:39:20.740 --> 01:39:25.020]  Well, here's a little device that we designed that does exactly that.
[01:39:25.020 --> 01:39:28.280]  So here's one version where you take a blank,
[01:39:28.280 --> 01:39:31.280]  you cut a little notch into the six aft position,
[01:39:31.840 --> 01:39:35.220]  and then you stick it into the lock and it will clunk, clunk, clunk
[01:39:35.220 --> 01:39:38.400]  all the way along as each pin fits into it.
[01:39:38.560 --> 01:39:43.280]  Based on how far it clunks, if it aligns with these lines for the fours or not,
[01:39:43.280 --> 01:39:45.400]  you can tell which is for an aft.
[01:39:45.400 --> 01:39:48.920]  Here's another design that can be cut down from any key, not just a blank.
[01:39:48.920 --> 01:39:53.920]  We have a little tip at the end with a notch in it, again, in the six aft position.
[01:39:53.920 --> 01:39:59.700]  And we can clunk, clunk, clunk it along and make some marker marks on the key,
[01:39:59.700 --> 01:40:03.960]  and then decode it afterwards and determine whether this means
[01:40:03.960 --> 01:40:06.770]  for an aft in each of these positions.
[01:40:08.080 --> 01:40:13.340]  So for instance, if we know that we have a lock in front of us,
[01:40:13.340 --> 01:40:19.040]  and we've decoded the for and aft, and if we find it to be, let's say, aft,
[01:40:19.040 --> 01:40:27.840]  for, aft, for, for, aft, in that particular case, what actually happens is
[01:40:28.250 --> 01:40:33.940]  we completely get the angle sidebar code figured out for us.
[01:40:33.960 --> 01:40:37.640]  I'm just going to remove the depths because they kill the compute time for now.
[01:40:39.140 --> 01:40:43.100]  If we aren't so lucky, this is the only case of fors and afts where that happens.
[01:40:43.100 --> 01:40:46.120]  Let's say we get a for here and an aft there.
[01:40:46.120 --> 01:40:48.120]  So now we have a number of possibilities.
[01:40:48.360 --> 01:40:53.260]  We can help to decode what those angles are based on an innovation that
[01:40:53.780 --> 01:40:57.780]  Mark Webber Tobias and Tobias Bluzmanis came out with a number of years ago,
[01:40:57.780 --> 01:41:02.740]  which is Medeco bump keys, which takes advantage of flaws in their angle codebooks.
[01:41:03.960 --> 01:41:06.360]  But these bump keys, there's a set of four of them.
[01:41:06.360 --> 01:41:09.980]  And if we can get one of them to work once on this lock,
[01:41:09.980 --> 01:41:14.380]  then we can use that to create a key that will work very easily forevermore
[01:41:16.280 --> 01:41:19.260]  by identifying, well, one of these bump keys worked.
[01:41:20.620 --> 01:41:26.160]  And that's going to go ahead and figure out what those remaining unknown angles are
[01:41:26.160 --> 01:41:30.520]  based on the fact that that particular version of the bump key happened to work.
[01:41:31.080 --> 01:41:34.080]  If, say, even that isn't enough for us.
[01:41:34.080 --> 01:41:40.840]  So in this case, pin six, it could be a Q, which is a right cut or a B, which is a center cut.
[01:41:41.180 --> 01:41:44.560]  Right is 20 degree angle and center is zero.
[01:41:44.560 --> 01:41:48.960]  And another thing that Tobias has found out is that, like I mentioned before,
[01:41:48.960 --> 01:41:53.220]  with some blocks being able to accept half height cuts in the heights,
[01:41:53.220 --> 01:41:55.260]  it'll accept half angle cuts.
[01:41:55.260 --> 01:41:59.800]  So I can make a key at 10 degrees, halfway between center and right.
[01:41:59.800 --> 01:42:02.980]  And that will actually operate this lock.
[01:42:03.140 --> 01:42:08.900]  So a number of techniques that we can use to decode Medeco systems.
[01:42:09.080 --> 01:42:13.760]  So we've covered a lot of techniques for how to use various sources of information
[01:42:13.760 --> 01:42:16.020]  to come down to a bidding code.
[01:42:16.020 --> 01:42:20.760]  So a number that represents what the key should be cut to, what depth that should be.
[01:42:20.760 --> 01:42:24.460]  But how do we take that and turn that into an actual usable key?
[01:42:24.520 --> 01:42:27.940]  Well, we could start with the key blank and file it down ourselves manually.
[01:42:27.940 --> 01:42:29.780]  That's a perfectly valid way of doing it.
[01:42:29.800 --> 01:42:35.560]  We can also use a machine if we happen to own a key machine, but many of us don't.
[01:42:35.820 --> 01:42:38.320]  And we could also try using a locksmith.
[01:42:38.320 --> 01:42:42.000]  So the general procedure for that is to identify the blank.
[01:42:42.000 --> 01:42:43.540]  It's often printed right on it.
[01:42:43.540 --> 01:42:47.220]  So WR5 for this Weiser or Y1 for this Yale.
[01:42:47.840 --> 01:42:51.000]  Determine the bidding code that you want using the techniques we talked about
[01:42:51.000 --> 01:42:54.860]  and go to a locksmith, so not a hardware store or a 7-Eleven,
[01:42:54.860 --> 01:42:56.980]  and ask if they can cut a key by code.
[01:42:56.980 --> 01:43:01.380]  If they say yes, give them the blank name and the code, such as a Schlage SC1
[01:43:01.380 --> 01:43:08.420]  with bidding code 04285, and they will usually cut it for you for the duplicating rate.
[01:43:08.500 --> 01:43:12.320]  If they happen to say that key is restricted, I can't cut you that.
[01:43:12.320 --> 01:43:16.060]  Check out the talk that myself and my brother Bobby gave last year entitled
[01:43:16.060 --> 01:43:20.080]  Duplicating Restricted Mechanical Keys at DEF CON 27.
[01:43:21.100 --> 01:43:26.580]  We'll talk a little bit about defenses, which is a huge field and could be a talk on its own.
[01:43:26.580 --> 01:43:32.340]  But the most salient points there is avoid very large mastering systems.
[01:43:32.340 --> 01:43:35.900]  If the only reason you have building A and building B mastered together
[01:43:35.900 --> 01:43:39.860]  is so that the superintendent can carry one GMK instead of two,
[01:43:39.860 --> 01:43:43.840]  that's really not worth the added risk for that added convenience.
[01:43:44.060 --> 01:43:48.700]  You also don't want to master high security and low security facilities on one system.
[01:43:48.700 --> 01:43:55.300]  So I've seen cases where a nuclear facility was mastered together with public washrooms.
[01:43:55.300 --> 01:43:58.940]  The access control of those public washrooms is significantly less,
[01:43:58.940 --> 01:44:03.440]  and information from those locks can be used to infiltrate the nuclear facility.
[01:44:03.440 --> 01:44:07.480]  That's absolutely something that you want to be separating in your mastering system.
[01:44:07.820 --> 01:44:11.240]  A missing lock is as bad as a missing GMK.
[01:44:11.240 --> 01:44:13.920]  So if a lock goes missing and it can't be accounted for,
[01:44:13.920 --> 01:44:16.200]  you need to consider the possibility that someone has
[01:44:16.820 --> 01:44:19.520]  disassembled and decoded it and made the key.
[01:44:19.700 --> 01:44:22.160]  You can consider alternatives to the two-step system
[01:44:22.160 --> 01:44:25.860]  and other various systems that we've talked about that can be exploited.
[01:44:26.440 --> 01:44:28.020]  Specific to those attacks,
[01:44:28.020 --> 01:44:31.700]  this is somewhat dependent on whether it's actually in your threat model.
[01:44:31.700 --> 01:44:35.780]  This is not in the threat model for the majority of applications.
[01:44:35.780 --> 01:44:39.680]  You can use a restricted keying system that won't stop a determined attacker,
[01:44:40.160 --> 01:44:43.020]  but it can slow them down and it can drive the cost up
[01:44:43.020 --> 01:44:49.960]  and potentially deter them from carrying out the attack in certain cases.
[01:44:49.960 --> 01:44:54.540]  Your facility ultimately should be secure even if an attacker has the GMK.
[01:44:54.540 --> 01:44:58.220]  So you want to use secondary security systems,
[01:44:58.220 --> 01:45:02.660]  such as guards and alarms and a proper detection and response mechanism.
[01:45:03.000 --> 01:45:06.520]  All that a mechanical lock does is keep honest people honest,
[01:45:06.520 --> 01:45:08.340]  and there's loads of ways past it,
[01:45:08.340 --> 01:45:15.980]  both keying and forcible entry and all sorts of other methods that DEFCON is all about.
[01:45:16.540 --> 01:45:20.540]  And use interchangeable core or electronic components or something
[01:45:20.540 --> 01:45:25.100]  to make re-keying easier if that becomes necessary.
[01:45:25.100 --> 01:45:29.320]  You want to have a response plan in place for if the unthinkable happens
[01:45:29.320 --> 01:45:35.820]  and your GMK or a key to a particular important area gets compromised.
[01:45:36.820 --> 01:45:39.680]  If you see something like this, so a lock goes missing
[01:45:39.680 --> 01:45:44.040]  and you're not sure how that happened, you want to take that seriously.
[01:45:44.040 --> 01:45:47.620]  And for heaven's sakes, don't do this.
[01:45:47.940 --> 01:45:52.520]  So thank you very much. I encourage you to go try it.
[01:45:52.520 --> 01:45:55.160]  Here are all the links to the applications that I'm releasing.
[01:45:55.160 --> 01:45:58.260]  Try them out for yourself and see what you can discover with them.
[01:45:58.260 --> 01:46:02.360]  I'd like to extend an enormous thank you to Josh, Karen, Jenny and Bobby
[01:46:02.360 --> 01:46:04.740]  for their help in getting this talk prepared.
[01:46:04.740 --> 01:46:07.360]  In particular to Jenny, she absolutely saved the day
[01:46:07.360 --> 01:46:10.360]  with editing this video at the last minute.
[01:46:10.420 --> 01:46:12.560]  And I'd be happy to take your questions.
[01:46:12.560 --> 01:46:13.740]  Thank you very much.
